wrong AKI in cert

Wed, 24 Oct 2007 23:01:42 -0700 

Hi,

cross ref on support list: "Re: refresh validity dates on a certificate".

While trying to refresh validity on certs I noticed that "openssl x509 ... 
-signkey filename" modifies the issuer name. It also preserves the 
extensions but appears to copy them verbatum. If there is a "X509v3 
Authority Key Identifier" in there then it may not match the issuers key 
in the resulting cert. If it is producing a self-signed cert then surely 
the AKI and the SKI should be the same.

Other openssl commands appear to try to verify this resulting cert and 
fail.

I think if openssl is going to set the issuer and resign the cert then it 
should also update the AKI if it is present in the extensions.
If it sets the subject public key then it should also update the "X509v3 
Subject Key Identifier" extension if present.

I was using 9.8b.

This is a cert where subject = issuer but ski != aki. In this case it 
should be aki = ski.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit, 
CN=sslcln
        Validity
            Not Before: Oct 25 04:00:23 2007 GMT
            Not After : Aug 14 04:00:23 2010 GMT
        Subject: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit, 
CN=sslcln
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a9:b1:99:5a:c2:d5:83:a6:6d:ea:d1:1f:f2:8c:
                    bf:43:6c:a2:09:07:f8:14:2f:f7:07:e4:cb:57:d9:
                    53:2e:55:68:86:c8:4d:8f:d2:3a:5a:81:ca:65:b0:
                    83:0a:97:6e:5a:15:f5:df:65:8f:e0:27:e3:dc:d1:
                    84:3a:ac:a2:d8:a9:9e:69:e1:5f:1d:88:10:72:85:
                    7e:ea:a4:db:79:43:0b:63:6b:4f:e0:8f:ee:09:9a:
                    66:14:bb:b1:48:2d:17:0f:da:c0:f9:12:8e:a2:98:
                    a5:61:86:85:14:10:30:c2:28:00:fd:0c:cb:ca:71:
                    9f:34:e0:8e:f5:25:f0:73:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
 8B:44:9A:12:AE:E1:D0:7F:6F:0C:60:87:1E:A6:8A:D8:9C:3D:57:57
            X509v3 Authority Key Identifier:
 keyid:89:9E:C2:C4:E6:87:4E:C2:DC:9E:DE:A7:D5:BE:64:F6:BF:2C:1E:2C

            X509v3 Subject Alternative Name:
                <EMPTY>

    Signature Algorithm: sha1WithRSAEncryption
        3a:15:9e:2d:0f:01:aa:b7:a2:86:b8:09:47:6b:00:7f:16:3a:
        32:46:11:be:06:16:f0:b8:cc:67:6e:8e:fe:32:14:5d:87:1c:
        ea:da:fa:81:e8:e7:e8:9f:c5:e1:06:4b:cc:2e:de:f7:bc:df:
        9e:60:be:94:23:67:b9:76:c9:47:4d:0c:ab:61:a5:eb:5e:3e:
        d3:50:c5:4b:4c:d3:92:a3:7e:31:03:dd:68:64:6a:e3:53:df:
        26:0b:c0:a0:d7:ff:a6:7d:5b:29:6f:50:8a:b7:8e:45:90:c8:
        1f:2e:a2:43:14:69:54:32:82:3c:90:b1:70:b2:8e:c1:b7:5d:
        df:f7

Simon McMahon

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to