On 30.04.2014 03:57, Nikolay Elenkov wrote:
What hasn't been suggested is giving each server, etc. its own sub-CA signed by the root. Then there won't be a need to have the root key at multiple places and not problems with serial. Additionally, clients will only have to install and trust the root, which should make the whole thing easier to deploy.
I already mentioned this solution (not me has the many servers):"this is a design failure; the certificates MUST all be signed on only one server for this reason;
or each server must have its own root/intermediate CA;" I want just come back to Jakob Bohm "I seem to (vaguely) recall that there was once an option or standard forusing a certificate-contents-related hash as the serial number, but I can't seem to find it right now."
if he has already found this - I'd use it for a totally different purpose;
smime.p7s
Description: S/MIME Cryptographic Signature
