[openssl-users] Trusting certificates with the same subject name and overlapping validity periods
Jordan Brown
openssl at jordan.maileater.net
Wed Sep 20 21:13:14 UTC 2017
On 9/20/2017 10:28 AM, Walter H. via openssl-users wrote:
> On 20.09.2017 18:33, Jordan Brown wrote:
>>
>> Q: Does OpenSSL's trust-list verification support trusting multiple
>> certificates with the same subject name and overlapping validity periods?
>>
> do these replacement certificates have the same serial number and the
> same private key?
I'll check with my colleague who is doing the actual work, but...
I assume that they do not have the same serial number, since they are
new certificates.
I don't know whether they have the same private key. For discussion
purposes, let's say that they might or might not have the same key.
Remember that these are customer-controlled certificates; I don't get to
tell them how the certificates should be structured.
Note that this would be easy if each successive certificate had a
different Subject, because then the trust list could contain all of them
and there would be no possibility for confusion. But they don't.
--
Jordan Brown, Oracle Solaris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170920/a6a4a29d/attachment.html>
More information about the openssl-users
mailing list