I'm working here with 2 self-signed CAs.
So with cross certification, each CA will have two
certificates ? One signed by itself and one signed by
the other one, is that it ? I though cross-certification would be each CA signing
the other one's certificate, i was wrong ?
The use of the verb "to have" is problematic in the above. Don't think in terms of possession wrt certificates.
In the simplest of hierarchies, there is a root cert associated with a CA, which is self signed. If this CA is cross-certified by CA' (indicating a one-way trust relationship), this CA is essentially a subordinate CA' for the purposes of those who trust CA'.
There is no need for multiple certs in this case.
A cert signed by CA will be trusted by anyone who trusts either CA or CA' unless or until the cross-cert is revoked, expired, etc.
The situation you describe would be much simpler if you had multiple intermediate CAs, I think.
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
