> I used openssl with the intermediate CA to sign a separate cert, which
> had a AKID keyid but no issuer, and that chain recongizes fine.
>
> Could the problem be the fact that yahoo.pem has an AKID keyid AND
> issuer? (onr or the other is sufficient, but I could find nothing that
> said that both were illegal).
it might be a bug in openssl X509_check_issued() function.
im using openssl 0.9.8i.
line 650 in v3_purp.c:
if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
nm is the DirName thing in the subject cert's AKID, ie
"/O=WatchGuard_Technologies/OU=Fireware/CN=Resigning_CA"
and "issuer" is the intermediate CA cert, so its "X509_get_issuer_name(issuer)"
will be name of root CA.
so the comparsion will fail, and you get the error.
looks like it should be "X509_get_subject_name(issuer)"
_________________________________________________________________
Windows Liveā¢ Groups: Create an online spot for your favorite groups to meet.
http://windowslive.com/online/groups?ocid=TXT_TAGLM_WL_groups_032009______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
