[openssl-users] Trusting certificates with the same subject name and overlapping validity periods

Jordan Brown openssl at jordan.maileater.net
Wed Sep 20 21:13:14 UTC 2017

On 9/20/2017 10:28 AM, Walter H. via openssl-users wrote:
> On 20.09.2017 18:33, Jordan Brown wrote:
>> Q:  Does OpenSSL's trust-list verification support trusting multiple
>> certificates with the same subject name and overlapping validity periods?
> do these replacement certificates have the same serial number and the
> same private key?

I'll check with my colleague who is doing the actual work, but...

I assume that they do not have the same serial number, since they are
new certificates.

I don't know whether they have the same private key.  For discussion
purposes, let's say that they might or might not have the same key.

Remember that these are customer-controlled certificates; I don't get to
tell them how the certificates should be structured.

Note that this would be easy if each successive certificate had a
different Subject, because then the trust list could contain all of them
and there would be no possibility for confusion.  But they don't.

Jordan Brown, Oracle Solaris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170920/a6a4a29d/attachment.html>

More information about the openssl-users mailing list