On Mon, Nov 15, 2004, [EMAIL PROTECTED] wrote: > > The link that outlook appears to use is the serial number, if it does not > find a certificate with the same serial number as the one in the message > it will not find the private key to decrypt the message. >
This is part of the S/MIME v2 (PKCS#7) standards. The recipient is identified by the certificates issuer name and serial number. > I have proven this by forcing the CA command to produce a new certificate > from the original request and original keys with the same serial number. > This works - but I was not sure if this is the only way. > The CA commands don't let you easily do this for a good reason. It is a violation of the standards. The issuer name and serial number should be unique. If distinct certificates exist with the same issuer name and serial number quite a lot of software will misbehave or produce hard to trace errors. > So I now have to decide, > > Do I do the above and force renewals to have the same keys, serial number > and details from the original req. > > or do I tell the end users to open old mail they have to have the expired > certificates on the system to. > > I hope the cobversations in this message help others to realize what is > going on. All the best. > Well unless the software provides a means to reencrypt with a new certificate the only way is to keep the old certificates and private keys on the system. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]