Timeline for Duplicate subject names for intermediate and root certificates
Current License: CC BY-SA 4.0
Post Revisions
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 6, 2019 at 10:37 | vote | accept | Amala | ||
| Apr 6, 2019 at 9:38 | answer | added | garethTheRed | timeline score: 5 | |
| Apr 6, 2019 at 4:25 | comment | added | dave_thompson_085 | To be clear, there are several roots with the same name as each other, and also several intermediates with the same name as each other, but not root(s) with the same name as intermediate(s)? Having root=imed will definitely screw up OpenSSL chainbuild/validation, and I expect others also but haven't tested. Also version of OpenSSL may matter; I know handling of possible alternate chains changed in 1.0.1 and I think it has again since. | |
| Apr 6, 2019 at 0:13 | comment | added | Amala | @garethTheRed Can you post your comment as an answer. That is pretty much the answer I have come up with. | |
| Apr 5, 2019 at 20:17 | comment | added | Amala | @garethTheRed Thanks. That is what we were discussing as well. It is more of a problem and time sink for all the operators trying to rotate keys and such. The browsers aren't confused like the humans. | |
| Apr 5, 2019 at 17:33 | comment | added | garethTheRed | It is the combination of Subject Name and Public Key which makes a certificate unique. If either of those change, it is a completely different certificate as far as verification is concerned. It can be either or both. It just confuses us humans when only the Public Key changes and the Subject Name remains the same :-) | |
| Apr 5, 2019 at 16:23 | history | edited | Amala | CC BY-SA 4.0 |
added 39 characters in body
|
| Apr 5, 2019 at 15:32 | comment | added | Amala | I am now seeing this related question: security.stackexchange.com/questions/159868/… Which suggests that a certificate with a differing validity with the same public key is ok. | |
| Apr 5, 2019 at 15:30 | comment | added | Amala |
@SteffenUllrich Thanks. I didn't think to check that before. They are different public keys. Can you explain why this might be a problem? They do present the full chain. I experiment with clearing certs and using update-ca-certificates on ubuntu to selectively add certs and the whole thing is very difficult to understand. I want to present something to them.
|
|
| Apr 5, 2019 at 15:15 | comment | added | Steffen Ullrich | Do these certificates with different subjects have the same public key or a different one? If they are the same then it should be not really a problem as long as the valid ones are included with the certificate chain. | |
| Apr 5, 2019 at 15:10 | review | First posts | |||
| Apr 5, 2019 at 15:53 | |||||
| Apr 5, 2019 at 15:06 | history | asked | Amala | CC BY-SA 4.0 |