On 07/12/2012 10:00 PM, David Woodhouse wrote:
If it has the same name, then it's the same CA. Has it been rekeyed?
It has a different X509v3 Subject Key Identifier.
The Subject Key Identifier of the second cert in the list does not match
the Authority Key Identifier of the first cert. It's a broken chain. The
server MUST NOT do this.
sorry, a chain is defined by the names, not by key identifiers.
there is strictly no requirement the subject and key identifiers must match.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
