2008/6/16 Michael Ströder <[EMAIL PROTECTED]>: > Gilles Cuesta wrote: >> >> So, at a time, we have 2 ClientCA with different key and different >> validity period, but same DN. > > This is bad practice. Try searching for "CA key roll-over".
I found docs about it, but proprietary PKI, and couldn't know if this feature is implemented ... > >> The problem is, when verifying client cert work with both ClientCA >> stacked; but when using CRL, old clients work only if CRL is signed by >> old ClientCA. > > Well, you asked for trouble... > > You could try to add the authorityKeyIdentifier extension to the CRL if it's > also present in the CA certs. This could work with some software. > Here we are :D apache.crl Certificate Revocation List (CRL): Version 2 (0x1) ... X509v3 Authority Key Identifier: keyid:B8:85:B4... apache-caclient.cer Certificate: ... Validity Not Before: Feb 29 12:23:38 2007 GMT Not After : Feb 29 12:23:58 2011 GMT ... X509v3 Key Usage: critical Certificate Sign, CRL Sign ... X509v3 Subject Key Identifier: B8:85:B4... X509v3 Authority Key Identifier: keyid:56:4D:A9... apache-caclient-old.cer Certificate: ... Validity Not Before: May 18 14:35:12 2005 GMT Not After : May 18 14:35:12 2009 GMT ... X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign ... X509v3 Subject Key Identifier: 87:1D:FC... X509v3 Authority Key Identifier: keyid:56:4D:A9... But it doesn't work asis, issuing "signature verification error" in apache error logs ... Is there something to be modified in Apache/Modssl conf ? Thank you ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]