2016-03-31 18:09 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>: > On 31/03/2016 17:16, warron.french wrote: > 3. Then create new server certificates for the 2 servers again. > > Yep, and give the new ones a slightly different "full" > distinguished name (important for CRL and "ca" database). > My approach is to include the year-month as an extra OU e.g. > > CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany > Inc,L=YourTown,C=XX Why is this that important? Isn't the serial and/or keyid/hash enough to differentiate between both certs? Or is it just another "layer of security" for some not that correctly working clients out there? Thanks!
