Changing Certificates

daddykom,

thats one of the unsolved problems of AS2. Both partners have to exchange the certificates at the same time which could result in a bigger issue if you have a huge amount of partners. Best is to send your certificate to your partners and tell them that you will use it from a specified date/time.

Partners that does not change the certificate at the specified date/time will not be able to communicate with you via AS2 until they have changed their settings/cert, too.

Regards
Heller

Charley,

its mainly not a problem of the implementation but of AS2 in general.
The commercial version contains a certificate management where you could change the certs in a gui, export/import them and do everything else that is required.

But anyway the idea of a scheduled cert change and keeping a second cert in the system sounds good to me. We will discuss this internal, thank you.

Regards
Heller

dear heller,
I agree with this post.
But to be honnest it is not a simple problem because
two certificates can have a common period of validity.
Not a problem if private key is same, or subjects differents.
But if not, creating MDN with right key is complicate ...
I add also that changing certs imply no traffic, in particular with asynch MDN... It is an AS2 problem, but not only AS2, any that use asymetric keys...

CRLs should be used for such case : changing cert when CRL contents older cert id, but CRL is not offen used, neither updated on time ...
A good way is to use an OCSP server, for mec_as2 and for the partner : it allow to signal 'online' that a certificate should not be use.
At least, it could be a great option that mec_as2 perform such queries to know when to change certificate ...
MHO

crownedgrouse,

could you please give me some more information about these OCSP server and the idea behind it?

Regards
Heller

http://openssl.org/docs/apps/ocsp.html

Openssl can run as a very simple (hum...) OCSP server, so you can see what can be done in mec_as2 as a OCSP client.

The idea is :
- Mark in mec_as2 that a key with be changed soon for another.
(implies another select box I guess)
- Tell mec_as2 the exact date and time when change (should not impact asynchrone MDN).
or
- Tell mec_as2 to use an OCSP server for this.

(A tab for OCSP config may be added in configuration)

If OCSP is used, before using a key, mec_as2 perform a simple OCSP client request on a cert, and get back answer :
'good' <- cert should be used
'revocated' with cause SUPERSEDED <-- security problem on such cert
'revocated' with cause CESSATIONOFOPERATION <-- do not use any more
'revocated' with cause UNSPECIFIED <-- do not use
'unknown' <-- mec_as2 should know what to do on such response (the cert is not known by OCSP server)

When a 'revocated' status is answered, the other cert should be used (but it could be a good idea to perform also an OCSP request for it :>) ...)

In case of network issue to connect OCSP server, the generally rule is to use cert, in order not to be blocked by an OCSP server that refuse to start...

This for internal usage between your own OCSP server and your own mec_as2.
But you can allow other to perform queries on you OCSP server (running as public in such case), by adding OCSP entry in X509 object (like CRL distribution point).
It does not imply that remote partner can do queries, but in such case, the partner know that you don't want to use the cert anymore.

"good night... and good luck..."

crownedgrouse,

thanks for the info, I will check this issue.

Regards
Heller