On Sat, Apr 28, 2007 at 11:40:16AM +0200, Peter Schorsch wrote:
> Hi,
>
> I am still beginner in OpenSSL so please excuse my basic question:
>
> I am looking for informations wheter I can sign a x509-certificate only one
> or multiple times. And if it is possilbe to sign multiple times: how are
> the options for it?
>
The same (subject DN, subjectAltName extensions,public key) tuple can
be signed by multiple CAs, yielding *multiple* certificates.
In any given application, it is not guaranteed that verifiers will be
able handle multiple signer certs or choose the right one.
I don't think it is possible in TLS to present multiple trust chains
for the same public key, because if I am not mistaken the depth 0 (your
*single* cert) must be first in the server HELO message. This restriction
may not apply to CAs, so perhaps an intermediate CA cert can be signed
by multiple root certs? Anyone care to elaborate?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
