Hi,
in our tests (0.9.2.1) we are experiencing some weird behaviour with
regard to expired certificates.
Sometimes the status displayed does not reflect the true certificate
status (e. g. cert is reported to be "Not expired" but in fact it is).
After reading the corresponding code I am pretty sure that the
reason for this is keeping the VALID and EXPIRED state of a
certificate in the database.
In my opinion this is a bug because the validity of the certificate
changes automatically when reaching the notAfter (or the notBefore)
date. This does not trigger a database action, so the status
in the database does not reflect the true certificate status.
OpenSSL index.txt is not doing any better, of course.
I'd like to propose the following change for the next release:
- for each certificate the notBefore and notAfter dates are stored
in the database
- the following certificate status are kept in the database:
- ISSUED (certificate was issued and may or may not be valid)
- REVOKED (certificate was explicitly revoked)
- maybe we also need RENEWED which might be set for the old cert
if the same DN is issued again later
- a library function should exist that determines the current and
up-to-date certificate status for an ISSUED certificate. This
function must be called in order to get the true status of the cert
in terms of validity.
(In addition I think we will have to recreate the OpenSSL index.txt
prior to any issuance or revocation action to work around the same
bug in OpenSSL, but I think this is already done in the CVS head code.)
What do you think?
Martin
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id�396&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel
