2008/6/16 Michael Ströder <michael@stroeder.com>:
> Gilles Cuesta wrote:
>>
>> So, at a time, we have 2 ClientCA with different key and different
>> validity period, but same DN.
>
> This is bad practice. Try searching for "CA key roll-over".

I found docs about it, but proprietary PKI, and couldn't know if this
feature is implemented ...

>
>> The problem is, when verifying client cert work with both ClientCA
>> stacked; but when using CRL, old clients work only if CRL is signed by
>> old ClientCA.
>
> Well, you asked for trouble...
>
> You could try to add the authorityKeyIdentifier extension to the CRL if it's
> also present in the CA certs. This could work with some software.
>

Here we are :D

apache.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
....
X509v3 Authority Key Identifier:
keyid:B8:85:B4...

apache-caclient.cer
Certificate:
....
Validity
Not Before: Feb 29 12:23:38 2007 GMT
Not After : Feb 29 12:23:58 2011 GMT
....
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
....
X509v3 Subject Key Identifier:
B8:85:B4...
X509v3 Authority Key Identifier:
keyid:56:4D:A9...

apache-caclient-old.cer
Certificate:
....
Validity
Not Before: May 18 14:35:12 2005 GMT
Not After : May 18 14:35:12 2009 GMT
....
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
....
X509v3 Subject Key Identifier:
87:1D:FC...
X509v3 Authority Key Identifier:
keyid:56:4D:A9...

But it doesn't work asis, issuing "signature verification error" in
apache error logs ...

Is there something to be modified in Apache/Modssl conf ?

Thank you
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org