[openssl-users] Properly manage CA-signed certificates that have expired

Jeffrey Walton noloader at gmail.com
Thu Mar 31 23:10:08 UTC 2016

On Thu, Mar 31, 2016 at 6:36 PM, Ben Humpert <ben at an3k.de> wrote:
> 2016-03-31 18:09 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>:
>> On 31/03/2016 17:16, warron.french wrote:
>> 3.  Then create new server certificates for the 2 servers again.
>> Yep, and give the new ones a slightly different "full"
>> distinguished name (important for CRL and "ca" database).
>> My approach is to include the year-month as an extra OU e.g.
>>   CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany
>> Inc,L=YourTown,C=XX
> Why is this that important? Isn't the serial and/or keyid/hash enough
> to differentiate between both certs? Or is it just another "layer of
> security" for some not that correctly working clients out there?

It could depend when Path Building (RFC 4158,
https://tools.ietf.org/rfc/rfc4158.txt), modulo some other things.

The two ways to uniquely identify a certificate is (1) hash of the
issuer public key, which shows up as AKID in the subject; and (2) the
pair {distinguished name, serial number} in the subjects certificate.

Some user agents have had problems when CA re-certifying the same
public key on a roll over when (1) the DN stays the same, and (2) the
hash changes. I think OpenSSL had a pain point here for a while. I
think Viktor fixed it recently (within the last year or so).

Issuers are supposed to ensure serial numbers are unique, but....


More information about the openssl-users mailing list