Gilles Cuesta wrote:
2008/6/16 Michael Ströder <[EMAIL PROTECTED]>:
Gilles Cuesta wrote:
So, at a time, we have 2 ClientCA with different key and different
validity period, but same DN.
This is bad practice. Try searching for "CA key roll-over".
I found docs about it, but proprietary PKI, and couldn't know if this
feature is implemented ...
It's not a "feature"! Pretty sure there are docs out there describing
best practices when conducting a CA key roll-over. One of the best
practices is to change the subject DN of the CA entity cert.
You could try to add the authorityKeyIdentifier extension to the CRL if it's
also present in the CA certs. This could work with some software.
X509v3 Authority Key Identifier:
keyid:56:4D:A9...
But it doesn't work asis, issuing "signature verification error" in
apache error logs ...
Glad you learned so soon that it's better to rework your re-newed sub-CA
cert. ;-)
Ciao, Michael.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
