httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45708] CRL verification fails if CA have distinct AKID for CRL and client certificates
Date Tue, 06 Jul 2010 18:02:11 GMT

--- Comment #7 from Erwann Abalea <> 2010-07-06 14:02:08
EDT ---
(In reply to comment #4)
> UP
> not yet solved ? 
> CA rekeying fails with mod_ssl, should use AKI instead of Subjects...

No. AKI is not the good way to go.
A certificate signed by an CA (with KeyID K1) will be revoked by the renewed
CA, with a changed key (with KeyID K2). In that case, AKIs will be different.
The only thing in common will be the IssuerName of both the user certificate
and CRL. They must match in order to be considered issued by the same CA (for
X.509, a CA is only a name, not a key).

The patch I provided 2 years ago solves this, and also some specific case where
a CA has one key to sign certificates, and another one to sign CRLs. In that
case, AKIs will also be different.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message