Hello, I am new to SSL and certificates and I have to setup Apache's Qpid broker using both server authentication and client authentication which requires certificates on both sides. We will store a certificate from each client (which he has self-certified) on our Qpid broker machines using certutil. One question now was whether we could store two certificates of one client where - the validity period of both certificates overlap - the subject of the certificates are identical
I tested it and found that this is possible, even with identical nicknames. I added the certificates without specifying a serial number: $ certutil -A -d data/0097 -n cbkfr -t "P,," -i data/0097/cbkfr.crt $ certutil -A -d data/0097 -n cbkfr -t "P,," -i data/0097/cbkfr1.crt Listing the certificates shows: $ certutil -L -d data/0097 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cbkfr P,, cbkfr P,, and $ certutil -L -d data/0097 -n cbkfr display the information about both certificates. This shows that they have different serial numbers. Now I wanted to see what happens if I specify explicitly the same serial number when adding both certificates: $ certutil -A -d data/0097 -n cbkfr -t "P,," -i data/0097/cbkfr.crt -m 123 $ certutil -A -d data/0097 -n cbkfr -t "P,," -i data/0097/cbkfr1.crt -m 123 This works fine as well and $ certutil -L -d data/0097 -n cbkfr shows that both certificates don't have serial number 123 but the one which the .crt files contain already (checked with a Windows based tool). Does that mean that the -m option is not valid for the -A action? The certutil tool doesn't complain! That means for me that it is possible without problems to maintain multiple imported certificates with identical subject and overlapping validity period under the same nickname. But how can I remove a specific of these certificates, e.g. since it is expired and therefore not used anymore? When I enter $ certutil -D -d data/0097 -n cbkfr one of the two certificates is deleted, but which one? The -m option is ignored here as well. Best reagrds Armin Noll ---------------------------------------------------------------------------- Deutsche Börse Systems AG Chairman of the Supervisory Board/ Vorsitzender des Aufsichtsrats: Reto Francioni Executive Board/Vorstand: Michael Kuhn (Chief Executive Officer/Vorsitzender), Yves Baguet (Deputy Chief Executive Officer/ stellv. Vorsitzender), Gerhard Leßmann. Aktiengesellschaft with registered seat in/mit Sitz in Frankfurt am Main. Commercial register/Handelsregister: Local court/Amtsgericht Frankfurt am Main HRB 42413. ----------------------------------------- Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. Legally required information for business correspondence/ Gesetzliche Pflichtangaben fuer Geschaeftskorrespondenz: http://deutsche-boerse.com/letterhead -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto