Questions about Certificates

["S. B. Kulkarni" <srinu@trinc.com>]

Hi,

I have some doubts regarding handling of certificates is concern.

* If we support multiple certificates (issued by different CAs)
and we get CERT-REQ payloads of all those CAs, is  it necessary
to send all the certificates or just one is sufficient ? If one is
sufficient,is it ok to send the reply to the first matching CA ?

* If the responder to the CERT-REQ payloads sents out two CERT
payloads issued by two different CAs and one of the certificate is
invalid (certificate is expired ..) whereas the other one is a valid one, 
do we abort the connection as there is some error in the certificate
or can we proceed with the valid certificate ?

* If we get a CERT-REQ payload and we dont have a certificate issued
by that particular CA, can we abort the connection or can we send some
other certificate issued by a different CA ?

* If we dont get a CERT-REQ payload at all in the IKE exchange and we
support multiple certificates (issued by different CAs), can we send all
the certificates issued by those CAs, or it is ok if we send one of the 
certficate ? If one is ok, how do we select which of the certificate to send ?

*If we get a CERT-REQ payload with the certificate type as a CRL and we
dont have a CRL on our side, can we abort the connection ? or we have
to send the CRL some how (getting CRL from the CA using LDAP) ?

Thank U
- Srinu

---

Follow-Ups:

• Re: Questions about Certificates
• From: Joern Sierwald <joern.sierwald@datafellows.com>

---

• Prev by Date: Re: Question about mis-match SA lifetimes
• Next by Date: Re: Questions about Certificates
• Prev by thread: REPLAY-STATUS
• Next by thread: Re: Questions about Certificates
• Index(es):
  • Main
  • Thread