On 04/05/15 21:53, David Woodhouse wrote:
On Mon, May 4, 2015 1:25 pm, David Woodhouse wrote:
Surely that's not unique? Using the above example, surely the first
certificate issued by the 2010 instance of 'My CA', and the first
certificate issued by the 2015 instance, are both going to have
identical CKA_ISSUER and CKA_SERIAL_NUMBER, aren't they?
No, every subject and serial must be unique. If the 2010 and 2015 instance
are distinct bytes, they need distinct serial numbers.
I was speaking of the serial numbers of certificates issued *by* those two
separate CAs. Or are you suggesting that those sets of serial numbers muat
be disjoint?
You mean the 2015 instance is a re-signing of the "same" certificate?
Isn't the signature included in the "distinct bytes", meaning it's still a
new certificate which needs a new serial number, even if it's based on
the same request and the request is signed by the same key.
(If it's a re-issue with the same CA signature, same validity dates, and
same
everything else, then including CKA_VALUE won't make it distinct either, and
there's no point in having two copies with different labels. It's the
same object,
imported twice.)
However, I would expect both CKA_SUBJECT and CKA_ID to be the same
for a re-signed certificate.
(But that the CKA_SUBJECT and CKA_ID pair will uniquely identify the
private key that both certificates apply to. Years of working with HSMs
have left me with the attitude that the private key is the important bit,
and any certificate is someone else's problem, so issuer and serial number
are irrelevant :-)
But I do realize that's not the typical application view.)
--
http://www.brocade.com/products/all/application-delivery-controllers/index.page
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
