Am 21.01.2014 11:21, schrieb Kamalraj Madhurakasan:
Hello Ted,
In our application we have requirement to introduce new option which
allows customers to renew their certificates which was installed in it
already.
We would like to find out whether the new certificate is really a
renewal certificate of old one so that we can allow them to replace
the old one with new one.
So to find out the match we decided to use fields (Issuer Or subject)
And Serial number. But when I used openssl to create renew certificate
as in the steps I mentioned already I see that the subject can be
altered and serial number is different.
From your mail I understand that other than public key, any field can
be different or same based on the CA that customer uses. We have many
customers across globe and they get their certificates signed and
renewed by many CA in market.
So my conclusion, is its up to us to decide now on choosing match
fields. Let me know if I am missing something.
Now, I don't know the details of your software, but I'd advise to use
the subject fields (maybe only some of them) to identify the customer.
Though there's no guarantee, my guess is that in most renewed
certificates the subject won't change... Also you'll catch those
customers who'll want to use new keys. Same issuer makes some sense,
because usually another CA will have more or less subtle differences in
the subject fields.
Of course you'll never get 100% of all "renewed" certificates, but a
good percentage should be possible.
I'd not restrict identification to the same public key, because that's
only a technical detail, but has no "intrinsic" connection to the person
who uses it. The serial number is definitively useless for your purpose.
All this has not much to do with openssl, so maybe we should move to
private discussion if you still have questions. And maybe I should think
about consulting charges... :-)
Hope this helps,
Ted
Thanks
Kamalraj
On Tue, Jan 21, 2014 at 1:30 PM, Bernhard Fröhlich <t...@convey.de
<mailto:t...@convey.de>> wrote:
Ho there,
from the technical perspective (which is the thing this list is
concerned with) a "renewed" certificate is a new certificate for
the same keys as the old one. No step of the three you list as
necessary is necessary from the openssl point of view, but may be
required by your CA.
The data contained in the "renewed" certificate, beside the public
part of the key, is completely up to the issuing CA and usually
laid down in their policies.
So, you should address your questions to the CA you want to get
your certificates from. If you are implementing your own CA, you
have to decide what you want to do.
Or was your question about best practices when creating a CA policy?
Hope this helps at least a bit,
Ted
;)
Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan:
Hello guys,
I would like to know whether my understanding about
certificate renewal is correct or not.
To renew the certificate:
1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended
The fields that are common between old and new renewed
certificate will be:
1. SKI
2. AKI
3. Issuer
4. Public Key
The fields are not be common are:
1. subject (I see that while generating new CSR we can change
the subject)
2. Serial number
3. Other fields
Please share your inputs on this.
Thanks
Kamalraj
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
