David, good day.
Tue, Jun 10, 2008 at 03:02:58PM +0200, David Groep wrote:
> No, there's no policy requirement to revoke a cert on renewal or
> rekey, but there has been a historic tendency to do so because of
> software limitations in OpenSSL: as it uses the DN as a key to its
> internal 'database' (the index.txt file), it could not handle more than
> one valid certificate with the same DN.
Nowadays, OpenSSL's "ca" command has unique_subject option in the
configuration file. I have it at least in 0.9.8e and it seem to
work ;))
--
Eygene Ryabinkin, Russian Research Centre "Kurchatov Institute"
|