Understanding CRL Verification with Renewed CA
I would like to understand how is CRL verified and therefore certificate of end entity verified when there is a new certificate and keys of issuing CA renewed.
Suppose I have the following setup:
- Issuing CA publishing CRL
- End entity certificates issued by Issuing CA
- Validation service that validates issued end entity certificates through certificate chain and CRL
When there is no change, certificate would be validated without any issues.
But what happens when I renew CA certificate with new keys? The DN of CA certificate would be the same but the published CRL would be signed by different key. Old CA certificate and keys would be still valid because its expiration date wasn’t reached yet, but it would not be used to publish new CRLs.
How would be end entity certificate issued before renewing CA validated with renewed CA certificate and its corresponding CRLs?
The CRL contains only information about the certificates issued by this particular CA with this particular public key. Revocation information for certificates issued with the older CA key are contained in another CRL file. Which CRL file need to be used to verify revocation for a specific certificate is contained in the certificate itself as CRL distribution point.