Hi, What will be the recommendation from the open source community for supporting the following scenario in a openSSL based client/server application:
*The certificates involved:* old CA certificate of the CA authority(root) new CA certificate of the CA authority(root) Server's end entity certificate issued by the old CA certificate, Server's end entity certificate issued by the new CA certificate Client's end entity certificate issued by the new CA certificate SSL_VERIFY_PEER set to TRUE. i.e., Client verifies server certificate and server verifies client certificate. *Scenario:* Now, the client in its SSL_load_verify_locations() will need to load both the old CA certificate as well as the new CA certificate. This will be to make sure that the connection is successful when the server sends the new end entity certificate or even when the server sends its old EE certificate(No CRLs involved as of now). So, now it is like loading multiple trust anchors in a single file. So here, is it better to use the CAFile option to load the CA certificates for verification(putting both the old CA certificate + new CA certificate into a single concatenated PEM file(CAFile)) or is it better to use the CAPath option for this scenario: Generating hashes for old CA certificate and new CA certificate separately and putting them into one common directory(CAPath)? Basically we wanted to know if CAFile would give a problem in case of multiple trust anchor certificates put together? Regds, Ashok
