Gilles Cuesta wrote:
So, at a time, we have 2 ClientCA with different key and different
validity period, but same DN.
This is bad practice. Try searching for "CA key roll-over".
The problem is, when verifying client cert work with both ClientCA
stacked; but when using CRL, old clients work only if CRL is signed by
old ClientCA.
Well, you asked for trouble...
You could try to add the authorityKeyIdentifier extension to the CRL if
it's also present in the CA certs. This could work with some software.
But my strong recommendation: Fix your 2nd ClientCA cert.
Ciao, Michael.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
