RE: [Openca-Users] Issuing multiple certs for the same DN

[John Sullivan]

Title: RE: [Openca-Users] Issuing multiple certs for the same DN

        Perhaps I misunderstand.  We have been using PKI for several years now and have used two different implementations but we are not gurus on the subject.  I assume that the DN is the concatenation of the various x.509 fields, e.g., C=US,O=Nexus,OU=engineering,CN=john.sullivan.  Are you saying that you prepend the serial number to it to ensure that it is always unique?

        In both of our existing PKI's, we issue certs for users whose existing certs are near expiration.  When we issue the new certs, we issue them with the same, exact x.509 fields since our security is based upon parsing those fields.  We do not revoke their old certificate until we are sure the new one is working for them.  This means there is a brief period when both certs are valid.  If I revoke their old cert to generate their new cert, there will be a period of time when they will have no valid cert.  Let's say that the john.sullivan user cited above is about to expire his cert.  How would I issue another cert for C=US,O=Nexus,OU=engineering,CN=john.sullivan without first revoking his old one? Thanks - John

> John A. Sullivan III
> Group Technology Director
> Nexus Management
> +1 207-985-7880

-----Original Message-----
From: Michael Bell [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 6:43 AM
To: John Sullivan
Cc: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] Issuing multiple certs for the same DN

> John Sullivan schrieb:
>
>      We frequently allow multiple certs for the same user with the
> same DN, e.g., we may allow them to use an old cert while we are
> processing their renewal request.  I noticed that OpenCA did not allow
> me to issue a cert with a DN equal to one already issued.  How do I
> get around this problem? Thanks - John

That's an OpenSSL-problem. There can never be two certificates with the
same DN. We prevent you from this problem by putting the serial in front
of the DN. Why do you need exactly the same DNs?

It is strongly recommended in the RFCs to never issue two certificates
with the same DN.

Michael
--
-------------------------------------------------------------------
Michael Bell                   Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter     Email:  [EMAIL PROTECTED]
Humboldt-University of Berlin  Tel.: +49 (0)30-2093 2482
Unter den Linden 6             Fax:  +49 (0)30-2093 2959
10099 Berlin
Germany                                       http://www.openca.org