Dr S N Henson schrieb: > > Michael Bell wrote: > > > > Hi, > > > > I found a bug in openssl ca. If you set authorityKeyIdentifier to > > keyid and issuer always then the keyid will be set correctly but the > > issuer is wrong. > > > > Example: > > > > Root-CA --> Sub-Level 1 CA --> Sub-Level 2 CA --> User > > > > If I issue a certificate for a user then the issuer of the CA-cert > > is the DN of the Root-CA. > > > > What do you mean here? Are you saying that the authorityKeyIdentifier in > Sub-Level 2 CA issuer name is the root CA? If so that's correct because > its telling you the issuer and serial number of the CA that issued it.
If the new cert is for a user then the authorityKeyIdentifier issuer must be the DN from Sub-Level 1 CA but the DN is from the Root-CA. The issuer of the CA-certificate of Sub-Level 2 CA is the Sub-Level 1 CA. The issuer and serial number of the CA that issued the Sublevel 1 CA must be from Sublevel 2 CA but OpenSSL use the DN of the Root-CA for the issuer. Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]