Hello all, I have a question that comes from a real-life situation. Suppose you have a CA that signed a CSR and prodused a certificate for some user. After sometime the CA revokes that certificate. Then that user sends to a CA a new CSR. The policy of the CA does not permit it to sign a CSR generated using a key which has been revoked (well, the corresponding certificate has been revoked). How can the CA verify that the new CSR hasn't been signed with the old (revoked) key. Is there an elegant method? One option is to get out a public key both from CSR and from (possibly all!) revoked certificates and compare them. If there is a match then CA rejects a CSR as doesn't matching its policy. But this method is too cumbersome. Is there some option to a verification command (say openssl req -verify ...) to verify a CSR which allows to pass a directories or files that contain a list of untrusted certificates?
Best regards, Arsen. -- PGP Key: ID 0xBBE3DFD8 (expires: 2006-08-03) Fingerprint: 1C3B 2C01 40DF ED87 23B1 BF6F 95C4 2E77 BBE3 DFD8
smime.p7s
Description: S/MIME Cryptographic Signature
