On Thu, Mar 12, 2009, Rene Hollan wrote: > Yeah, I just noticed that. > > I've been comparing how my intermediate CA resigned an existing cert > (it's part of a proxy that decrypts, examines, and reencrypts -- the > downstream client sharing a trust hierarchy with the intermediate > "resigning" CA) with what "OpenSSL ca ..." does. > > OpenSSL ca ... actually puts the issuer of the issuer into the AKID > issuer field of the signed cert, along with the issuer serial number. > When the issuer is a root ca, it is it's own issuer, so the issuer > (which is what my resigning code was using), and issuer's issuer are the > same. But, when the issuer is an intermediate CA, they are different. > > So, either I'm doing it wrong, or OpenSSL ca ... Is doing it wrong (but > consistent with how OpenSSL verify ... checks). > > At this point, I think the error is mine. At least browsers accept the > cert when OpenSSL signs it with an intermediate CA, and not when I do. > > Think about it: the purpose of the AKID is to identify the public key of > the signer, either by matching the SKID of the signer, or some other > means of identifying the signer. Well, the signer's serial number is > unique within those issued by IT'S signer, so the combination of IT's > signer and IT's serial number should be probabilistically unique. > > This whole SKID/AKID mess comes about because issuer and subject DNs are > not guaranteed to be globally unique, but the combination of issuer's > issuer DN, and issuer's serial number within the issuer's issuer's DN > are statistically more so. (Without SKID/AKID, one would have to verify > a prospective issuer by unhashing the signature with the issuer's public > key, which is arguably more computationally expensive that comparing > SKID and AKID. One should still do this anyway, but the SKID/AKID check > preemptively eliminates the wrong issuer). > > Sigh. X500 looks like a royal "designed by non-technical committee" > mess. > > Thanks for the help, now excuse me while I make a code change. >
If it's any consolation you aren't alone with that, it gets commented on quite often so much so in fact that it has an FAQ entry: http://www.openssl.org/support/faq.html#USER15 You can just leave out the issuer+serial number combination from AKID too. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org