Bug#514807: statistics about V1 CA Certs / general assumptions about the state of the network

Simon Josefsson simon at josefsson.org
Mon Mar 23 12:24:42 UTC 2009

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> On 02/19/2009 04:42 PM, Simon Josefsson wrote:
>> Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
>>> (is it even possible to transform a self-signed V1 cert into a
>>> self-signed V3 cert?)
>> Not without re-signing it, which requires that certificates under the V1
>> cert won't chain back to the V3 cert.  That's by design.
> Thanks for the response!  Can you point me to a reference, Simon?  I'd
> like to understand the details better, but don't know where to begin.

Check RFC 5280: the TBSCertificate structure contains the version, and
the structure is signed, so to change a V1 cert to V3 cert you'd have to
re-sign it.  That's possible of course, but you'll need the private key.
And in that case, you'd might as well generate a new V3 certificate
rather than converting information from an old one.

I'm not sure what I meant above though: if the public key is the same,
certs signed by the V1 cert may correctly chain back to the V3 cert.


More information about the Pkg-gnutls-maint mailing list