CA serial number is ignored in hierarchical view
Brought to you by:
chris2511
Menu
▾
▴
#121 CA serial number is ignored in hierarchical view
3 certificate layers: root CA, CA, client cert. All managed in xca, of course.
If the CA certificate is renewed, then the existing client certs are all listed under the new CA, even though they expire with the old CA. Apparently the serial number is ignored.
If I renew a client certificate later and export it with certificate chain, then the chain contains the old CA certificate instead of the renewed CA cert. The serial number is ignored again.
The serial number is only used to distinguish 2 ccertificates.
It is common practice to simply use unique random numbers as serial.
XCA will soon remove the increasing serials and always generate random serials.
Currently the "CA options" allow to switch to random serials.
If more than one possible issuer exist (Issuer name matches CA subject and public key verifies the signature, XCA selects the CA with the latest expiry date (validUntil).
This allows smooth CA rollover.
There is however one issue I detected while investigating this issue:
The AuthKeyIdentifer contains the CA serial number. This is painful for certificate rollover.
Described here https://www.v13.gr/blog/?p=293
I'm going to remove the unconditional application of dirname and serial for authKeyId.
In the next release it will only be a copy of the issuers subjKeyId
Does this clear things up and solve the issue for you?
Sorry, but I am confused about your response. I don't have a problem with incremental vs. random "serial numbers". Would you mind to elaborate how your changes will fix the GUI issue and how it makes sure the certificate chain includes the (renewed) CA certificate used to renew the client cert?
Hi Harald,
the current behavior of XCA is as described in my comment above.
I think this behavior is the most sane.
Associating a Certificate to its signing CA happens by the following indicators:
CA:Subject == Cert:Issuer and CA:pubkey verifies Cert:signature.
Neither the serial number nor the validity time is considered for the "Issuer CA -> Issued cert" relation.
XCA does not distinguish why a certificate appears (Signing or import).
So the following may happen:
A CA certifcate exists and has a client cert assigned.
Another CA certificate is generated or imported with the same subject and public key.
The client cert will be moved to this CA if its validUntil date is higher than the one of the existing one.
Otherwise the client cert will stay with the old CA.
If you now use the elder CA (smaller validUnitil time) to issue a new certificate, it will be
grouped below the newer CA.
Maybe confusing, but consequent.
If the newer CA gets deleted, its cert(s) will be associated to the remaining CA cert.
The chain displayed iin the certificate tab will be the same as the one in the certificate-chain exported (PKCS#12 chain, PEM chain)
Cheers
I am not sure if I got you correctly, but if the CA certificate says "the serial numbers must match", then this should be respected by xca on creating a certificate chain (IMHO).
XCA 1.4.1 will not put the CA serial and issuer into issued certificates AuthKeyID anymore
commit e3c9d7bff84f54f9a2cccd96804a9964419439b7
Author: Christian Hohnstaedt christian@hohnstaedt.de
Date: Sat Jan 6 13:00:08 2018 +0100