httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45708] CRL verification fails if CA have distinct AKID for CRL and client certificates
Date Tue, 06 Jul 2010 18:02:11 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

--- Comment #7 from Erwann Abalea <erwann.abalea@keynectis.com> 2010-07-06 14:02:08
EDT ---
(In reply to comment #4)
> UP
> not yet solved ? 
> CA rekeying fails with mod_ssl, should use AKI instead of Subjects...

No. AKI is not the good way to go.
A certificate signed by an CA (with KeyID K1) will be revoked by the renewed
CA, with a changed key (with KeyID K2). In that case, AKIs will be different.
The only thing in common will be the IssuerName of both the user certificate
and CRL. They must match in order to be considered issued by the same CA (for
X.509, a CA is only a name, not a key).

The patch I provided 2 years ago solves this, and also some specific case where
a CA has one key to sign certificates, and another one to sign CRLs. In that
case, AKIs will also be different.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message