[openssl-users] Properly manage CA-signed certificates that have expired

Jakob Bohm jb-openssl at wisemo.com
Thu Mar 31 23:01:54 UTC 2016

On 01/04/2016 00:36, Ben Humpert wrote:
> 2016-03-31 18:09 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>:
>> On 31/03/2016 17:16, warron.french wrote:
>> 3.  Then create new server certificates for the 2 servers again.
>> Yep, and give the new ones a slightly different "full"
>> distinguished name (important for CRL and "ca" database).
>> My approach is to include the year-month as an extra OU e.g.
>>    CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany
>> Inc,L=YourTown,C=XX
> Why is this that important? Isn't the serial and/or keyid/hash enough
> to differentiate between both certs? Or is it just another "layer of
> security" for some not that correctly working clients out there?
Some protocols and data formats identify certificates
only by their issuer and subject distinguished names.

One of those is the default database format used by
the "openssl ca" utility (there is an option to avoid
this, but it must be set when initially creating the CA,
so cannot be assumed or suggested when someone already
has a running site CA of unknown configuration).

Adding this explicit date also makes it easier to
identify the correct certificate in various user
interfaces (it takes more brain time checking the
serial numbers or dates of each candidate
certificate when trying to pick the right one as
part of a server configuration etc.).

I seem to recall there was one other protocol that
relied solely on the DN, but I can't remember which
one right now.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list