On Thu, Mar 31, 2016 at 6:36 PM, Ben Humpert <ben at an3k.de> wrote: > 2016-03-31 18:09 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>: >> On 31/03/2016 17:16, warron.french wrote: >> 3. Then create new server certificates for the 2 servers again. >> >> Yep, and give the new ones a slightly different "full" >> distinguished name (important for CRL and "ca" database). >> My approach is to include the year-month as an extra OU e.g. >> >> CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany >> Inc,L=YourTown,C=XX > > Why is this that important? Isn't the serial and/or keyid/hash enough > to differentiate between both certs? Or is it just another "layer of > security" for some not that correctly working clients out there? It could depend when Path Building (RFC 4158, https://tools.ietf.org/rfc/rfc4158.txt), modulo some other things. The two ways to uniquely identify a certificate is (1) hash of the issuer public key, which shows up as AKID in the subject; and (2) the pair {distinguished name, serial number} in the subjects certificate. Some user agents have had problems when CA re-certifying the same public key on a roll over when (1) the DN stays the same, and (2) the hash changes. I think OpenSSL had a pain point here for a while. I think Viktor fixed it recently (within the last year or so). Issuers are supposed to ensure serial numbers are unique, but.... Jeff
