In my application, the human user accepts the server's X.509 certificate, verifying the fingerprint during the first-time connection. The fingerprint is stored in the client software. At later connections, only that particular certificate is accepted by the client.
If the server renews own certificate, the fingerprint naturally does not match any more and the user has to verify and accept the new fingerprint again.
I want to relax this restriction and accept this certificate, and also any renewal (maybe even rekey) of it.
The server certificate is issued by a CA, which is trusted by the client software. So my new check at the client side will be like:
- Check that the fingerprint matches the recorded one. Accept connection if yes.
- Check that the certificate is issued by a trusted CA. Reject connection if not.
- Check if this is a renewed previous certificate, accept connection if yes, reject otherwise.
Question: How can the last check be implemented? How can I know that a certificate C2 is in fact a renewal (or rekey) of another certificate C1?
Aucun commentaire:
Enregistrer un commentaire