Page MenuHome GnuPG

Cross signing certificate in X.509 support
Open, NormalPublic


For the support of cross signing certificates, we need to fix our code for certificate validation in:

  • gpgsm
  • dirmngr (when used with NTBTLS for https)

Sample certificates are available:

And it is started to be used by Let's Encrypt migration, in September 2021.

Event Timeline

I read OpenSSL implementation.
It does NOT implement backtracking.
In openssl/crypto/x509/x509_vfy.c, it has a function find_issuer which does:

  • exclude a issuer when it's already in ctx->chain (can avoid recursion forever)
  • prefer the first non-expired one, else take the most recently expired one.

This way, we can solve T2972 and T5639. Not sure for T5445.