Hi all,
I'll leave on vacation tomorrow, so at the last minute:
No, there's no policy requirement to revoke a cert on renewal or
rekey, but there has been a historic tendency to do so because of
software limitations in OpenSSL: as it uses the DN as a key to its
internal 'database' (the index.txt file), it could not handle more than
one valid certificate with the same DN.
And since the only documented option to get rid of a valid certificate
was to revoke it, well, that's what many people did.
There has always been the option to 'manually' update the
index.txt file of OpenSSL. Look up the line with your DN
in it, replace the "V" at the beginning of the line with an "E" (actually
with anything but a "V" :-), and all was fine again. That way, you can
have multiple certificates with the same DN valid at the same
time, exactly what you want in case of rekeying.
As of late, OpenSSL's "ca" command has grown a "-updatedb" option, that
converts "V" into "E" for expired certificates:
-updatedb - Updates db for expired certificates
which does almost what you want but not quite -- it still fails to
expire a certificate that is "still valid, but not too much longer".
A pity, but that's life (or more accurately phrased "that's OpenSSL").
So, if the CA's Policy and Practice Statements do not forbid you
from having two certificates, the technical obstacles for having
overlapping certificates can easily be overcome:
- replace the "V" by an "E" in a line line this, so:
V 041129125406Z 0B unknown /C=NL/O=nonsense BV/CN=testje
becomes
E 041129125406Z 0B unknown /C=NL/O=nonsense BV/CN=testje
but be sure to leave all tab characters (ASCII "09h") in tact, and do NOT
replace them with spaces (ASCII 20h), as they are the field delimiters
in the index.txt file. And, yes, there are *two* tabs between the
"validUntil" date and the serial number unless a cert has been revoked.
Hope this helps!
Cheers,
DavidG.
Dennis van Dok wrote:
> Eygene Ryabinkin schreef:
>> Glenn, good day.
>>
>> Tue, Jun 10, 2008 at 07:28:21PM +1000, Glenn R. Moloney wrote:
>>> Can someone enlighten me as to the whether it is necessary for a CA to
>>> revoke an existing host certificate when issuing a new cert for that
>>> host.
>
>> As I know, there is not requirement in IGFT/EUGridPMA to revoke
>> expiring certificates that were already renewed -- two overlapping
>> certificates for one entity provide no troubles: they identify the
>> same person that can be traced by his DN. Exceptions are the cases
>> of compromised/lost key material.
>>
>> But sure, reality can be different and your CA can have some reasons
>> to revoke certificates -- this should be brought to the light and
>> discuissed.
>>
>> I am CC'ing David Groep and Yoshio Tanaka. David, Yoshio, any
>> thoughts?
>
> David is on vacation; I'm not nearly as knowledgeable as him on the
> topic, but it's our policy to revoke only if the key is compromised (or
> if there is proof of misuse). There is no conflict between having
> multiple valid certificates for the same DN, although we do expire the
> superseded certificates from our on-line records.
>
> Revoking a certificate is a pretty extreme measure; it's like saying
> "don't trust this certificate, even though I once signed it."
>
> When certificates expire, so do their revocations. Otherwise the CRLs
> would grow indefinitely. So revoking a certificate just before it
> expires sounds, well, silly.
>
> But I'm interested to hear more insightful ideas.
>
> Dennis van Dok
|