[openssl-users] Properly manage CA-signed certificates that have expired

Ben Humpert ben at an3k.de
Thu Mar 31 22:36:28 UTC 2016


2016-03-31 18:09 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>:
> On 31/03/2016 17:16, warron.french wrote:
> 3.  Then create new server certificates for the 2 servers again.
>
> Yep, and give the new ones a slightly different "full"
> distinguished name (important for CRL and "ca" database).
> My approach is to include the year-month as an extra OU e.g.
>
>   CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany
> Inc,L=YourTown,C=XX

Why is this that important? Isn't the serial and/or keyid/hash enough
to differentiate between both certs? Or is it just another "layer of
security" for some not that correctly working clients out there?

Thanks!


More information about the openssl-users mailing list