[openssl-users] Trusting certificates with the same subject name and overlapping validity periods
noloader at gmail.com
Wed Sep 20 21:58:41 UTC 2017
On Wed, Sep 20, 2017 at 5:48 PM, Jordan Brown
<openssl at jordan.maileater.net> wrote:
> The above also works with "authorityCertSerialNumber", see
> If, however, the newer certificate has a different key, and the same
> subject DN, but does not place matching distinct subject key identifiers
> in the certificates it issues, then OpenSSL will not correctly handle
> multiple candidate issuers that differ in the public key, but provide
> no hints in the issued certificates which issuer to use.
> I'm not familiar with those extensions and will need to do more research.
I believe the controlling IETF document is "Internet X.509 Public Key
Infrastructure: Certification Path Building",
More information about the openssl-users