On June 16, 2008 12:46:56 pm Gilles Cuesta wrote:
> 2008/6/16 Michael Ströder <michael@stroeder.com>:
> > Gilles Cuesta wrote:
> >> So, at a time, we have 2 ClientCA with different key and different
> >> validity period, but same DN.
> >
> > This is bad practice. Try searching for "CA key roll-over".
>
> I found docs about it, but proprietary PKI, and couldn't know if this
> feature is implemented ...
>
Check the IETF PKIX mailing list. There is a thread there by Santosh Chokhani
and Stefan Santesson that goes into this. Short answer is - you can do what
you want, but it's REALLY tricky, and Michael is right - best practice is to
version your CA's. (so the current one is CA1, the next one is CA2, etc.)

> >> The problem is, when verifying client cert work with both ClientCA
> >> stacked; but when using CRL, old clients work only if CRL is signed by
> >> old ClientCA.
> >
> > Well, you asked for trouble...
> >
> > You could try to add the authorityKeyIdentifier extension to the CRL if
> > it's also present in the CA certs. This could work with some software.
>
> Here we are :D
>
Ummm I think you mean that you want to have, in the CRL DP in the client
certificate, the crlIssuer field of the CRL DP - problem is that 90% of the
software out there (Apache included) won't deal with it.

BTW: To handle the case that you are trying to do, there was a patch sent in
by Erwann ABALEA from Keynectis to the OpenSSL Users mailing list in
January/February this year, IIRC. Perhaps you could try that - you'd have to
do some fairly exotic things to mod_ssl, mind you to get it to work :)

I'm with Michael - stop using the same name each time. Version your CAs.

Have fun.

--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org