[openssl-users] Trusting certificates with the same subject name and overlapping validity periods

Jeffrey Walton noloader at gmail.com
Wed Sep 20 21:58:41 UTC 2017

On Wed, Sep 20, 2017 at 5:48 PM, Jordan Brown
<openssl at jordan.maileater.net> wrote:
> ...
> The above also works with "authorityCertSerialNumber", see
>    https://tools.ietf.org/html/rfc5280#section-
> If, however, the newer certificate has a different key, and the same
> subject DN, but does not place matching distinct subject key identifiers
> in the certificates it issues, then OpenSSL will not correctly handle
> multiple candidate issuers that differ in the public key, but provide
> no hints in the issued certificates which issuer to use.
> I'm not familiar with those extensions and will need to do more research.

I believe the controlling IETF document is "Internet X.509 Public Key
Infrastructure: Certification Path Building",


More information about the openssl-users mailing list