> Way back in '97 Holger wrote:
>
> > If you don't insist on a consistent index.txt for the ca prog you might do
> > something along the following lines (not tested):
> >
> > x509 -in old_cert -out new_cert -days xxx -sign_key ca_key
>
> I gave this a try just now. The big problem is that you end up with a
> new cert which has the same hash as the old one, but a different
> signature. So if you simply install it on a host inplace of the
> old_cert, all the old certs fail on the signature.
That looks strange to me. Sure the signature is different (since
the contant changed) but the (self) certified public key remains
the same. Thus both CA certs should be okay to verify the (ned-user)
certs
> I did find though that puting the following in certs:
>
> hash.1 -> old_cert
> hash.0 -> new_cert
A short explaination of this: The hash is used to find a cert with
a given subject. Basically (Eric should correct me) when looking for
the issuer cert, ssleay computes the hash of the issuer's name and
looks in some directories (mostly only the standard location) for
all files with the hash value as file name. Since there could be
more than one file with a given hash (not because of real collisons
but because of more than one cert with a given subject's name) ssleay
will grab all files with continious numbers suffixed.
> allows old certs to verify, but they will still need re-issuing once
> old_cert expires.
>
> Bright ideas - other than new certs?
Of course you should reissue costumer certs from time to time anyway...
--
read you later - Holger Reif
------------------------------------ Signaturprojekt Deutsche Einheit
TU Ilmenau - Informatik - Telematik (Verdamp lang her)
[EMAIL PROTECTED] Alt wie ein Baum werden, um ueber
Remus.PrakInf.TU-Ilmenau.DE/Reif/ alle 7 Bruecken gehen zu koennen
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
