Zitat von Martijn Brinkers <martijn(a)djigzo.com>om>:
Is it even PKI
conform to have sub-CA and certificates with longer
validity than the root-CA?
Although it's a bit strange to give the sub-CA a longer validity period
than the root, it's PKI not problematic because the certificates are
only valid if the complete chain is valid. What sometimes happens is
that CAs reuse the private key from the root (or sub-CA) to issue a new
CA certificate with a new validity period. It could be that they have
issued a new root with the same key.
So in fact the certificates issued by trustcenter.de are invalid
because the root-CA is invalid (expired)?
The chain is as follow:
root-CA : valid from 09.03.1998 11:59:59 GMT - 01.01.2011 11:59:59 GMT
sub-CA : Nov 26 16:01:23 2007 GMT - Dec 31 22:59:59 2025 GMT
certificate : 23.03.2008 until 23.03.2011
we have a
problem with certificates used by some customers which are
basically valid (certificate and sub CA) but have expired root-CA. We
have deleted the expired root-CA some time ago and now all user
certificates are invalid.
Do you still want to continue using those certificates to encrypt with?
are are you going to use new certificates?
If you want to keep using those certificates if when the root is missing
or expired you can force them to be 'valid' for encryption by adding the
individual certificates to the "Certificate Trust List" (white list the
certificates). You should do this only if you are certain that the
certificates are valid for the recipient.
This is a little bit awkward because the certificates are used by
external users. So from time to time a certificate is greeped by
Djigzo but can't be used because of expired root-CA. The certificates
are commonly used in germany and with a 3 year
validity we expect to see some more of the signed by the old root. I
even wonder if Trustcenter.de have noticed the problem because they
still seem to issue certificates signed by the sub-CA which belong to
the expired root-CA.