On June 16, 2008 12:46:56 pm Gilles Cuesta wrote: > 2008/6/16 Michael Ströder <[EMAIL PROTECTED]>: > > Gilles Cuesta wrote: > >> So, at a time, we have 2 ClientCA with different key and different > >> validity period, but same DN. > > > > This is bad practice. Try searching for "CA key roll-over". > > I found docs about it, but proprietary PKI, and couldn't know if this > feature is implemented ... > Check the IETF PKIX mailing list. There is a thread there by Santosh Chokhani and Stefan Santesson that goes into this. Short answer is - you can do what you want, but it's REALLY tricky, and Michael is right - best practice is to version your CA's. (so the current one is CA1, the next one is CA2, etc.)
> >> The problem is, when verifying client cert work with both ClientCA > >> stacked; but when using CRL, old clients work only if CRL is signed by > >> old ClientCA. > > > > Well, you asked for trouble... > > > > You could try to add the authorityKeyIdentifier extension to the CRL if > > it's also present in the CA certs. This could work with some software. > > Here we are :D > Ummm I think you mean that you want to have, in the CRL DP in the client certificate, the crlIssuer field of the CRL DP - problem is that 90% of the software out there (Apache included) won't deal with it. BTW: To handle the case that you are trying to do, there was a patch sent in by Erwann ABALEA from Keynectis to the OpenSSL Users mailing list in January/February this year, IIRC. Perhaps you could try that - you'd have to do some fairly exotic things to mod_ssl, mind you to get it to work :) I'm with Michael - stop using the same name each time. Version your CAs. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]