We are currently using a lot of SSL with client authentication with our b2b partners. We are validating the client certificate against a Group which contains a user that has the certificate coupled to it. For this to work, the name of the user needs to be the same as CN of the certificate.
Now we have a first case were the client certificate needs to be renewed. Idealy this is done by allowing both the old and the new for a short period of time to prevend the need of coordination between us and the b2b partner and more importantly to prevend downtime. However, as the renewed client certificate has the same CN, we cannot make a second user for this.
Any ideas to solve this? Any best practices on this topic?
The current only solution we are considering is validating against a Federated Identity Provider with the Intermediate of the Client Cert as Trusted Certificate and do a text-compare of the CN of the client cert in the policy itself.