Hi Michael,
thanks for digging in... :-)
>> in our tests (0.9.2.1) we are experiencing some weird behaviour with
>> regard to expired certificates.
>> Sometimes the status displayed does not reflect the true certificate
>> status (e. g. cert is reported to be "Not expired" but in fact it is).
>
> Mmh, I hope you use - like always - DBI and then it is a bug.
Yes, DBI. Happened this way:
- new CSR, existing cert for this CSR
- following the link in the CSR to this existing cert shows the
cert information
- the cert expired 2005-01-26, status column in DB is VALID.
- the cert overview page shows cert status: "Not expired"
I tried to find the problem in the code but was not able to pinpoint
it. In viewCert:
if ( $tmpStatus =~ /^Valid/i ) {
if ($now >
$cryptoShell->getNumericDate ($parsedCert->{NOTAFTER})) {
$tmpStatus = gettext("Expired");
}
I can only deduce that the comparison $now > ... did not return true
for my cert. Don't know why.
>> After reading the corresponding code I am pretty sure that the
>> reason for this is keeping the VALID and EXPIRED state of a
>> certificate in the database.
>
> No, the database never stores a certificate EXPIRED physically into the
> database. We always store VALID and the status VALID/EXPIRED depends on
> the notbefore column.
OK, understood. Then this discussion is bogus... :-)
> We can only add NOTBEFORE. NOTAFTER is already present.
We should, it belongs to the state, I think.
> ISSUED is liek the todays VALID. What happens with SUSPENDED?
Well, it's still valid, isn't it? The only difference is that
a valid and approved CRR exists for the cert. But storing this
status does not hurt either...
> The new release will have a complete new understanding of index.txt. If
> you create a new cert then index.txt is always empty (otherwise you get
> a really big performance problem if you have several thousand active
> certificates). If you issue a CRL then a fresh index.txt with only the
> revoked certficates will be created. This solution has an acceptable
> performance and we solve a lot of problems with the old index.txt
> handling.
Great - sounds good to me.
cheers
Martin
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id�396&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel
