Mohan,
It is my understanding that it is the clients job to make sure the
certificate is valid, and if it is not, then it will terminate the
connection. With openssl, you can set the verify mode with
SSL_CTX_set_verify() so the client will ignore certificate errors, but as
the server it is your job to make sure that the certificate is valid. If
you send a certificate to the end user that is not valid, it is there choice
what to do, you don't get a second try. You can verify your own cert from
within the program, and make sure it is valid before hand though. If you
use a new certificate at any point the connection must undergo
a renegotiation which will effectively be a new SSL session.
Somebody who knows more than I do, please correct me if I'm wrong.
-Sam
On Fri, Aug 20, 2010 at 12:05 PM, Mohan Radhakrishnan <
radhakrishnan.mo...@gmail.com> wrote:
> Hi,
> Ok. I am just trying to understand the rules for refreshing an
> intermediate certificate or any other certificate that has expired or
> has been compromised without breaking the SSL connection.
>
> Thanks,
> Mohan
>
> On Thu, Aug 19, 2010 at 9:06 PM, Sam Jantz <sjan...@gmail.com> wrote:
> > Mohan,
> > Unless the certificate is self-signed there is no way to change the
> > information without having to invalidate it by signing it yourself
> anyway.
> > You would either have to get a new certificate from the same (or other
> > trusted) CA, and install that one, or (if it is self signed) generate a
> new
> > certificate and sign it yourself with the same private key as before, and
> > then start using the new one. So I am not familiar with the Java
> interface
> > with SSL, but in c at least you would create this new cert using the X509
> > library. Hope this helps shed some light.
> >
> > -Sam
> >
> > On Thu, Aug 19, 2010 at 6:24 AM, Mohan Radhakrishnan
> > <radhakrishnan.mo...@gmail.com> wrote:
> >>
> >> Hi John,
> >> Yes. We do use SSL certificates. You can consider me a
> >> newbie. I am just trying to understand the ways to roll an
> >> intermediate or any other certificate that is going to expire soon
> >> without causing an outage. Is that possible at all ?
> >>
> >> (e.g)
> >> If a certificate is compromised I am trying to roll to a new
> >> certificate without bringing down my java application.
> >>
> >> Thanks,
> >> Mohan
> >>
> >> On Thu, Aug 19, 2010 at 2:11 PM, John Doe <jd...@yahoo.com> wrote:
> >> > From: Mohan Radhakrishnan <radhakrishnan.mo...@gmail.com>
> >> >
> >> >> Is there any material that shows how to roll to new
> >> >> certificates using OpenSSL ? I am looking for a test case to
> >> >> understand how this works. Anyone know about this ?
> >> >
> >> > Did you try to google something like "generate certificate openssl" or
> >> > "openssl
> >> > certificates howto"...?
> >> >
> >> > JD
> >> >
> >> >
> >> >
> >> > ______________________________________________________________________
> >> > OpenSSL Project
> http://www.openssl.org
> >> > User Support Mailing List
> openssl-users@openssl.org
> >> > Automated List Manager
> majord...@openssl.org
> >> >
> >> ______________________________________________________________________
> >> OpenSSL Project http://www.openssl.org
> >> User Support Mailing List openssl-users@openssl.org
> >> Automated List Manager majord...@openssl.org
> >
> >
> >
> > --
> > Sam Jantz
> > Software Engineer
> >
> >
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
--
Sam Jantz
Software Engineer
