"Vainikainen Saku EINT" <Saku(_dot_)Vainikainen(_at_)elisa(_dot_)fi> writes:
This is how we do it. And this is why the decryption does not work since the
new enc cert gets a new serial number, ie. the encryption cert gets reissued,
ie. the encryption key pair gets recertified, ie. cert hash changes. One
cannot change the contents of a certificate without generating a new
certificate serial number, ie. issue a new certificate.
But why is this a problem? If you get something addressed to the old cert,
you use the old key to decrypt. If it's for the new cert, you use the new
key. In fact there isn't even any need to keep the old cert around if it's
decrypt-only, you mention PKCS #15, well that stores all the index info you
need with the key, so you don't need the cert at all.
Our card has following PKCS#15 key usages on the private keys:
Have you actually tested all the combinations with your software? That is,
added two certs that differ only in encryption vs.signature usage and then see
what the app does if asked for a signature or encryption cert? Some of the
people I pointed out problems to were surprised at the problems, since things
seemed to work OK (meaning that the app just grabbed the first key it found
and used that, so everything appeared to work fine).