we have a problem with certificates used by some customers which are
basically valid (certificate and sub CA) but have expired root-CA. We
have deleted the expired root-CA some time ago and now all user
certificates are invalid.
Is it even PKI conform to have sub-CA and certificates with longer
validity than the root-CA?
Is it even PKI conform to have sub-CA and certificates with longer
validity than the root-CA?
Although it's a bit strange to give the sub-CA a longer validity period
than the root, it's PKI not problematic because the certificates are
only valid if the complete chain is valid. What sometimes happens is
that CAs reuse the private key from the root (or sub-CA) to issue a new
CA certificate with a new validity period. It could be that they have
issued a new root with the same key.
we have a problem with certificates used by some customers which are
basically valid (certificate and sub CA) but have expired root-CA. We
have deleted the expired root-CA some time ago and now all user
certificates are invalid.
Do you still want to continue using those certificates to encrypt with?
are are you going to use new certificates?
If you want to keep using those certificates if when the root is missing
or expired you can force them to be 'valid' for encryption by adding the
individual certificates to the "Certificate Trust List" (white list the
certificates). You should do this only if you are certain that the
certificates are valid for the recipient.
Zitat von Martijn Brinkers <martijn(a)djigzo.com>:
Is it even PKI conform to have sub-CA and certificates with longer
validity than the root-CA?
Although it's a bit strange to give the sub-CA a longer validity period
than the root, it's PKI not problematic because the certificates are
only valid if the complete chain is valid. What sometimes happens is
that CAs reuse the private key from the root (or sub-CA) to issue a new
CA certificate with a new validity period. It could be that they have
issued a new root with the same key.
So in fact the certificates issued by trustcenter.de are invalid
because the root-CA is invalid (expired)?
sub-CA : Nov 26 16:01:23 2007 GMT - Dec 31 22:59:59 2025 GMT
certificate : 23.03.2008 until 23.03.2011
we have a problem with certificates used by some customers which are
basically valid (certificate and sub CA) but have expired root-CA. We
have deleted the expired root-CA some time ago and now all user
certificates are invalid.
Do you still want to continue using those certificates to encrypt with?
are are you going to use new certificates?
If you want to keep using those certificates if when the root is missing
or expired you can force them to be 'valid' for encryption by adding the
individual certificates to the "Certificate Trust List" (white list the
certificates). You should do this only if you are certain that the
certificates are valid for the recipient.
This is a little bit awkward because the certificates are used by
external users. So from time to time a certificate is greeped by
Djigzo but can't be used because of expired root-CA. The certificates
from www.trustcenter.de are commonly used in germany and with a 3 year
validity we expect to see some more of the signed by the old root. I
even wonder if Trustcenter.de have noticed the problem because they
still seem to issue certificates signed by the sub-CA which belong to
the expired root-CA.
sub-CA : Nov 26 16:01:23 2007 GMT - Dec 31 22:59:59 2025 GMT
certificate : 23.03.2008 until 23.03.2011
It seems that they have issued a new root certificate. It looks like
they have introduced a cross certificate into the chain to make the
'old' non expired sub-ca valid.
So, you should import "Neue Root-Zertifikate/TC TrustCenter Class 2 CA
II" with SHA1 thumbprint:
sub-CA : Nov 26 16:01:23 2007 GMT - Dec 31 22:59:59 2025 GMT
certificate : 23.03.2008 until 23.03.2011
It seems that they have issued a new root certificate. It looks like
they have introduced a cross certificate into the chain to make the
'old' non expired sub-ca valid.
So, you should import "Neue Root-Zertifikate/TC TrustCenter Class 2 CA
II" with SHA1 thumbprint:
The sub-ca that was used to sign the certificates is now trusted again.
I think that they introduced the cross certificate as a way to start
using the new root.
Thanks, i have tottaly overlooked the cross-certs. IMHO cross
certification is evil as hell anyway and can lead to a total mess in
the trust chain.
But nothing Djigzo is responsible for as always. With the import of
the cross-certs its now working with the new root-CA.