On 01/04/2016 00:36, Ben Humpert wrote: > 2016-03-31 18:09 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>: >> On 31/03/2016 17:16, warron.french wrote: >> 3. Then create new server certificates for the 2 servers again. >> >> Yep, and give the new ones a slightly different "full" >> distinguished name (important for CRL and "ca" database). >> My approach is to include the year-month as an extra OU e.g. >> >> CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany >> Inc,L=YourTown,C=XX > Why is this that important? Isn't the serial and/or keyid/hash enough > to differentiate between both certs? Or is it just another "layer of > security" for some not that correctly working clients out there? Some protocols and data formats identify certificates only by their issuer and subject distinguished names. One of those is the default database format used by the "openssl ca" utility (there is an option to avoid this, but it must be set when initially creating the CA, so cannot be assumed or suggested when someone already has a running site CA of unknown configuration). Adding this explicit date also makes it easier to identify the correct certificate in various user interfaces (it takes more brain time checking the serial numbers or dates of each candidate certificate when trying to pick the right one as part of a server configuration etc.). I seem to recall there was one other protocol that relied solely on the DN, but I can't remember which one right now. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
