On 20.02.2014 17:57, Viktor Dukhovni wrote:
On Thu, Feb 20, 2014 at 11:26:20AM +0100, Walter H. wrote:the older CentOS 4.x has in it's ca-bundle.crt a root certificate that expired at the end of last month (on Jan. 28th, 2014), also attached (rootexpired.txt), no other valid root certificate of this CA (GlobalSign) can be found in this ca-bundle.crt; can someone tell me in clear logic, how it can be, that a totally different root certificate was used to verify the server certificate?When a root CA is re-issued with the same public key, subject name, subject key identifier, ... updating only the expiration dates, and serial number the old root looks like the right issuer of any certificates issued by the new root to any verifiers (such as your old CentOS box) that have only that certificate in their trust store.
Thanks, this sounds logic to me; but one question: in the extensions config file you have this: subjectKeyIdentifier=hash which parts of the certificate are included in generating this hash value? Thanks, Walter
smime.p7s
Description: S/MIME Cryptographic Signature