Zitat von Martijn Brinkers <[email protected]>:
Is it even PKI conform to have sub-CA and certificates with longer validity than the root-CA?Although it's a bit strange to give the sub-CA a longer validity period than the root, it's PKI not problematic because the certificates are only valid if the complete chain is valid. What sometimes happens is that CAs reuse the private key from the root (or sub-CA) to issue a new CA certificate with a new validity period. It could be that they have issued a new root with the same key.
So in fact the certificates issued by trustcenter.de are invalid because the root-CA is invalid (expired)?
The chain is as follow:root-CA : valid from 09.03.1998 11:59:59 GMT - 01.01.2011 11:59:59 GMT --> expired
sub-CA : Nov 26 16:01:23 2007 GMT - Dec 31 22:59:59 2025 GMT certificate : 23.03.2008 until 23.03.2011
we have a problem with certificates used by some customers which are basically valid (certificate and sub CA) but have expired root-CA. We have deleted the expired root-CA some time ago and now all user certificates are invalid.Do you still want to continue using those certificates to encrypt with? are are you going to use new certificates? If you want to keep using those certificates if when the root is missing or expired you can force them to be 'valid' for encryption by adding the individual certificates to the "Certificate Trust List" (white list the certificates). You should do this only if you are certain that the certificates are valid for the recipient.
This is a little bit awkward because the certificates are used by external users. So from time to time a certificate is greeped by Djigzo but can't be used because of expired root-CA. The certificates from www.trustcenter.de are commonly used in germany and with a 3 year validity we expect to see some more of the signed by the old root. I even wonder if Trustcenter.de have noticed the problem because they still seem to issue certificates signed by the sub-CA which belong to the expired root-CA.
Many Thanks Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
