Hi alls, new on the list, and not tricky question :D
We use client certs authentication at our office, there is a CA chain like this : BigCA (self signed) IntermediateCA (signed by BigCA) ServerCert (signed by IntermediateCA) used by Apache/modssl ClientCA (signed by IntermediateCA) many clients (signed by ClientCA) - ClientX have 1 year validity - ClientCA have 4 years validity, but replaced at half life (2 year) so ClientX signed by old ClientCA version remain valid until expiration. - CRL is signed by recent ClientCA So, at a time, we have 2 ClientCA with different key and different validity period, but same DN. The problem is, when verifying client cert work with both ClientCA stacked; but when using CRL, old clients work only if CRL is signed by old ClientCA. 1/ is it rfc compliant, and if not, why (reference ?). 2/ if this is rfc compliant, why does openssl does not handle this ? Thanks for all help you could provide. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]