X509 certificates - maintaining certification path

manpreet Best Answer 2 years ago

I'm working on X509 storage system for some python based program. All certificates are kept in PostgresSQL database for easy access. All working ok, when for each subject(user or CA authority) there is only one certificate. Then finding validation path is easy, as issuer field uniquely identify next certificate:

UserCert1(CA_cert_class1) -> CA_cert_class1(CA_cert_root) -> CA_cert_root(CA_cert_root)

The problems starts when some certificates are renewed due to expiration or any other reason. Then two or more certificates have the same subject. In that case there is more than one possible certification paths.

UserCert1(CA_cert_class1) -> CA_cert_class1(CA_cert_root)(old)->....
                          -> CA_cert_class1(CA_cert_root)(new)->....

Trying each combination is not a solution. Also removing expired certificates is not a solution, as I need them to validate old digital signatures.

QUESTION: How to uniquely identify issuer cert within X509 certificate. I guess, this have something to do with X509v3 extensions. I'm not sure how to use them.