Integration

I am trying to install 2 CA certificates into the certstore to test CA Key update scenarios as defined in RFC 2510. I have encountered several problems with trying this. I had hoped to directly trust my RootCA with its original key and my RootCA with a new key both with the same subject DN into the trusted cert7.db.

Previous versions (using 6.0 currently) didn't allow you to install 2 CAs with the same name. A warning would tell you the older CA with this name would be overwritten if continuing. Currently, installing this second CA with the same DN is allowed to be installed through the admin GUI. However, since the nickname in cert7.db is the same as the previous, all management operations on these happen as if to one CA.

Question: How do I add a certificate to the certstore such that both my RootCA(old key) and my RootCA(new key) can be installed together in the certstore?

I tried to name the certificate when adding through the GUI. This did not change the nickname in cert7.db but still used the CN - O values to name the cert. Does the naming function not work when adding Trusted CA certificates?

I tried to add using certutil found in Certificate Management Server (CMS). I could not run this on the https-rootca.....-cert7-db. I had to copy this file to a directory as cert7.db as the tool does not allow running on a filename but only on a directory where cert7.db exists. I then listed the certs to see what was there and then added the new RootCA using the -i option and -n optio to use a custom nickname. This also failed to change the name of the CA stored in the ceert7.db. If it would have worked, I would have copied it back to https-...-cert7.db.

The end result is that I can't seem to trust both the old and new RootCA certificates at the same time. Has anyone been able to accomplish this?