> Is it even PKI conform to have sub-CA and certificates with longer > validity than the root-CA?
Although it's a bit strange to give the sub-CA a longer validity period than the root, it's PKI not problematic because the certificates are only valid if the complete chain is valid. What sometimes happens is that CAs reuse the private key from the root (or sub-CA) to issue a new CA certificate with a new validity period. It could be that they have issued a new root with the same key. > we have a problem with certificates used by some customers which are > basically valid (certificate and sub CA) but have expired root-CA. We > have deleted the expired root-CA some time ago and now all user > certificates are invalid. Do you still want to continue using those certificates to encrypt with? are are you going to use new certificates? If you want to keep using those certificates if when the root is missing or expired you can force them to be 'valid' for encryption by adding the individual certificates to the "Certificate Trust List" (white list the certificates). You should do this only if you are certain that the certificates are valid for the recipient. Kind regards, Martijn -- Djigzo open source email encryption
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
smime.p7s
Description: S/MIME Cryptographic Signature
