Bruno Costacurta schrieb:
[...]
- serial information within the certificate is useless
If you are still talking of only the serial number you are correct. But
if you also know the issuing CA you can uniquely identify the
certificate. A CRL (Certificate Revocation List) for example works by
publishing the serial numbers which have been revoked by a CA and OCSP
also tells you the status of a certificate if you only tell the (CA
specific) responder the serial number.




As far as I understand, the serial information within the certificate is only useful as a reference for the CA. This reference can be used by the CA to revoke the certificate. Is this correct ?
Yes.
Is there other action that can be made by the CA on a specific certificate (ie. renew, some metadata changes...) ?
The CA may keep a database, indexed by the serial number, containing some information about the certificate (OpenSSL's CA command does this in the form of the index-file). So like you said the serial can help the CA to find metadata about a certificate, probably including the certificate itself (like in the OpenSSL CA). If the metadata contain the CSR (OpenSSL CA index does not) it would be possible to re-issue a certificate, possibly with modified metadata.

Thanks,
Bruno
Hope it helps,
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to