How to rotate cert when only first matching cert been verified

[Michael Wojcik]

> From: 定平袁 <pkudingping at gmail.com>
> Sent: Tuesday, 22 December, 2020 20:08
> To: Michael Wojcik <Michael.Wojcik at microfocus.com>

Please do not send messages regarding OpenSSL to me directly. Send them to the openss-users list. That is where the discussion belongs.

> > Why are you appending it to the file containing the existing certificate?

> I am rotating certificate, before the server side cert been replaced, the client
> side cert need to be valid, so when rotating, need both old and new cert exist.

I'm afraid it still isn't clear to me what you're doing. Both the server's entity certificate and the client's entity certificate are in the same file? What does this file contain before you append the new certificate?

> > It sounds like you're updating the server's entity certificate.

> I guess it's entity certificate (still trying to understand different cert
> concept...)

Does it identify the server, in the Subject DN and/or one or more Subject Alternative Name extensions?

> Below is the error message:

I'm afraid that message doesn't appear to contain any useful information.

> All the 3 clients used the same ca.crt file, which has an old cert in
> first, then a new cert behind. Only Python (used OpenSSL) failed.

So *this* sounds like what you're changing in this particular file is the set of trust anchors, not the entity certificates.

Where did your "CA" certificates come from? A commercial CA or some personal or organizational CA? From your description it sounds like the problem may be that the CA certificates were not generated correctly. Without the certificates to examine, we can't say.

Can you post the old and new certificates in PEM form in your next message?

Please note that due to the holidays I will not be reading email for several days, and it's likely that some other regular list members will be similarly unavailable.

--
Michael Wojcik