On 9/20/2017 10:28 AM, Walter H. via openssl-users wrote: > On 20.09.2017 18:33, Jordan Brown wrote: >> >> Q: Does OpenSSL's trust-list verification support trusting multiple >> certificates with the same subject name and overlapping validity periods? >> > do these replacement certificates have the same serial number and the > same private key?
I'll check with my colleague who is doing the actual work, but... I assume that they do not have the same serial number, since they are new certificates. I don't know whether they have the same private key. For discussion purposes, let's say that they might or might not have the same key. Remember that these are customer-controlled certificates; I don't get to tell them how the certificates should be structured. Note that this would be easy if each successive certificate had a different Subject, because then the trust list could contain all of them and there would be no possibility for confusion. But they don't. -- Jordan Brown, Oracle Solaris
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users