> John Sullivan schrieb: > > Perhaps I misunderstand. We have been using PKI for several > years now and have used two different implementations but we are not > gurus on the subject. I assume that the DN is the concatenation of > the various x.509 fields, e.g., > C=US,O=Nexus,OU=engineering,CN=john.sullivan. Are you saying that you > prepend the serial number to it to ensure that it is always unique?
Yes, this is exactly what I mean. So your DN would be C=US,O=Nexus,OU=engineering,CN=john.sullivan, serialNumber=1234. > In both of our existing PKI's, we issue certs for users whose > existing certs are near expiration. When we issue the new certs, we > issue them with the same, exact x.509 fields since our security is > based upon parsing those fields. We do not revoke their old > certificate until we are sure the new one is working for them. This > means there is a brief period when both certs are valid. If I revoke > their old cert to generate their new cert, there will be a period of > time when they will have no valid cert. Let's say that the > john.sullivan user cited above is about to expire his cert. How would > I issue another cert for C=US,O=Nexus,OU=engineering,CN=john.sullivan > without first revoking his old one? Actually I have no solution for this problem. You can only filter the serialNumber before you start parsing the DN. It is not necessary to revoke the old certificates (it is also not recommended to revoke such old certificates because the CRLs could be really big). Sorry Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
