How to rotate cert when only first matching cert been verified
定平袁
pkudingping at gmail.com
Sun Dec 20 00:59:24 UTC 2020
Hello everyone,
Recently I am trying to rotate a cert, and the client uses python requests
lib, which leverages openssl. Here is my steps:
1. Generate a new cert, and append it to the cert file(at this point, there
are 2 certs in the file, first is old cert, second is new, they have the
same Subject), restart client side process, (no problem here, because first
cert matching server side cert, and it verifies successfully)
2. Replace server side with new cert.
As soon as I issue step #2, the client side process starts to show
error “certificate
verify failed”. This would cause downtime to my apps. I am new to this, not
sure if there is anything wrong regarding my usage or understanding. But I
found this page
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html,
it says the exact behavior like my test:
If several CA certificates matching the name, key identifier, and serial
number condition are available, only the first one will be examined. This
may lead to unexpected results if the same CA certificate is available with
different expiration dates. If a "certificate expired" verification error
occurs, no other certificate will be searched. Make sure to not have
expired certificates mixed with valid ones.
So I am wondering how to rotate cert in such a case? It would be very
helpful if anyone could help on this. Thanks.
BTW, I tested the same cert file with CURL (compiled with gnutls), it works
fine.
Regards
Dingping
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201220/c96186f2/attachment-0001.html>
More information about the openssl-users
mailing list