On Wed, Jan 31, 2007 at 01:57:04PM +1300, Peter Gutmann wrote: > Victor Duchovni <[EMAIL PROTECTED]> writes: > > >What I don't understand is how the old (finally expired) root helps to > >validate the new unexpired root, when a verifier has the old root and the > >server presents the new root in its trust chain. > > You use the key in the old root to validate the self-signature in the new > root. Since they're the same key, you know that the new root supersedes the > expired one.
Does this actually work with OpenSSL and v3 CA certs that have "X509v3 Authority Key Identifier" extensions? With these extensions present (default when OpenSSL constructs CA certs, ...), certs whose serial number does not match the "serial" field in the extension are not considered to be root CA certs (not self-signed), and CA certs sharing the same keys and DN, but carrying different serials, simply don't match. If I roll-back the serial numbers and issue a cert with all the details (including serial number, ...) the same, but just the start/end dates changed to start before the expiration of the verifier's expired CA, and end after today's date, the verifier ends up with a trust chain that starts with the expired cert and fails, regardless of whether the server sends the new root CA cert or not. CA0.pem: -------- serial=C27B874157E381C0 issuer= <fixed-ca-dn> subject= <fixed-ca-dn> notBefore=Jan 1 00:00:00 2007 GMT notAfter=Jan 31 00:00:00 2007 GMT ... X509v3 Authority Key Identifier: keyid:CB:C0:45:68:F9:B0:DF:8B:A9:E9:EA:A0:F1:93:A1:C1:6B:7C:96:E4 DirName:<fixed-ca-dn> serial:C2:7B:87:41:57:E3:81:C0 CA1.pem: -------- serial=C27B874157E381C0 issuer= <fixed-ca-dn> subject= <fixed-ca-dn> notBefore=Jan 15 00:00:00 2007 GMT notAfter=Feb 28 00:00:00 2007 GMT ... X509v3 Authority Key Identifier: keyid:CB:C0:45:68:F9:B0:DF:8B:A9:E9:EA:A0:F1:93:A1:C1:6B:7C:96:E4 DirName:<fixed-ca-dn> serial:C2:7B:87:41:57:E3:81:C0 SRV.pem: --------- serial=C27B874157E381C1 issuer= <fixed-ca-dn> subject= <server-dn> notBefore=Jan 15 00:00:00 2007 GMT notAfter=Feb 28 00:00:00 2007 GMT ... X509v3 Authority Key Identifier: keyid:CB:C0:45:68:F9:B0:DF:8B:A9:E9:EA:A0:F1:93:A1:C1:6B:7C:96:E4 DirName:<fixed-ca-dn> serial:C2:7B:87:41:57:E3:81:C0 A client with CAfile containing just "CA0.pem" fails to verify a server configured to send the SRV,CA1 trust chain. My verification callback is called three times and produces: Trace: certificate verification depth=1 verify=0 subject=<fixed-ca-dn> Error: CA certificate verification failed for <peer> certificate has expired Trace: certificate verification depth=1 verify=1 subject=<fixed-ca-dn> Trace: certificate verification depth=0 verify=1 subject=<server-dn> If the verifier trusts the "CA1.pem" cert, I see instead: Trace: certificate verification depth=1 verify=1 subject=<fixed-ca-dn> Trace: certificate verification depth=0 verify=1 subject=<fixed-server-dn> How does one construct a working (re-issued root CA) example with OpenSSL? Am I setting this up incorrectly, or does OpenSSL not in fact support establishing trust in re-issued root CA via now expired root CAs? I have not tried to do this without the "issuer key identifier" extension, but don't really expect to find anything different... -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAIL Morgan Stanley confidentiality or privilege, and use is prohibited. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]