In message <[EMAIL PROTECTED]> on Mon, 17 Nov 2003 23:55:59 +1100, "Steven Reddie" <[EMAIL PROTECTED]> said:
smr> So this sounds like a limitation of our software rather than an smr> OpenSSL by-design issue? smr> smr> I've been told that when the EE certificate in question was smr> issued that the CA's subject DN was copied to the EE's issuer DN smr> and "flipped" on the way; I don't understand why. Possibly because some software had some kind of order expectation. On the other hand, flipping the CA subject when making it the issuer of the EE cert is the perfect way to make sure nothing can be verified... smr> The people responsible for the tools have now changed the smr> behaviour to not flip the DN but are looking for us to get our smr> PKCS12 export function working with their special certs so that smr> their clients can avoid having to regenerate them. Should smr> OpenSSL work with such certs? What exactly was the export function supposed to do, did you say? Is it supposed to do some kind of flipping of unflipped stuff, and thereby render the signature in the exported certificates invalid? Look, for really quick and dirty solution, I'd suggest the following: have the CA certificate regenerated, containing the exact same public key, but with the subject (and issuer) flipped from what it currently is. That way, if I understand correctly, the subject of the new CA cert will match the issuer of the EE certs and everyone will be happy (except for some software that does some flipping before comparing CA subject and EE issuer). ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. You don't have to be rich, a $10 donation is appreciated! -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
