Yeah, I realized that. I changed things to include an AKID if the issuer has a SKID, and the issuer's issuer's subject DN and issuer's serial number if not.
Got it all working finally, once I had the proxy chain it's intermediate CA. (When it wasn't doing this, I thought to try to add it to the trusted store of the browser, realizing that defeated the purpose of an intermediate CA, but wanted to test. That didn't work, but likely because I forgot the tell the browser what the trust chain rooted at the root CA was FOR.) -----Original Message----- From: owner-openssl-us...@openssl.org on behalf of Dr. Stephen Henson Sent: Fri 3/13/2009 5:14 AM To: openssl-users@openssl.org Subject: Re: Can't recognize intermediate CA On Thu, Mar 12, 2009, Rene Hollan wrote: > True, but (a) it doesn't hurt to have both, and (b) if the issuer > doesn't have a SKID, AKID issuer/serial takes the place of an AKID > keyid. > The disadvantage is that if you want to support more than one intermediate CA (cross certification for example) and you have issuer+serial in AKID then you'll get a mismatch with any new CA. This has caused issues when some people had an intermediate CA expire before the EE cert. Technically AKID/SKID should just be a hint as to the correct issuer certificate which can be ignored but some software (including OpenSSL currently) requires a match. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
<<winmail.dat>>
