2008/6/16 Michael Ströder <[EMAIL PROTECTED]>:
> Gilles Cuesta wrote:
>>
>> So, at a time, we have 2 ClientCA with different key and different
>> validity period, but same DN.
>
> This is bad practice. Try searching for "CA key roll-over".
I found docs about it, but proprietary PKI, and couldn't know if this
feature is implemented ...
>
>> The problem is, when verifying client cert work with both ClientCA
>> stacked; but when using CRL, old clients work only if CRL is signed by
>> old ClientCA.
>
> Well, you asked for trouble...
>
> You could try to add the authorityKeyIdentifier extension to the CRL if it's
> also present in the CA certs. This could work with some software.
>
Here we are :D
apache.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
...
X509v3 Authority Key Identifier:
keyid:B8:85:B4...
apache-caclient.cer
Certificate:
...
Validity
Not Before: Feb 29 12:23:38 2007 GMT
Not After : Feb 29 12:23:58 2011 GMT
...
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
...
X509v3 Subject Key Identifier:
B8:85:B4...
X509v3 Authority Key Identifier:
keyid:56:4D:A9...
apache-caclient-old.cer
Certificate:
...
Validity
Not Before: May 18 14:35:12 2005 GMT
Not After : May 18 14:35:12 2009 GMT
...
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
...
X509v3 Subject Key Identifier:
87:1D:FC...
X509v3 Authority Key Identifier:
keyid:56:4D:A9...
But it doesn't work asis, issuing "signature verification error" in
apache error logs ...
Is there something to be modified in Apache/Modssl conf ?
Thank you
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
