Hodie XIV Kal. Iun. MMXI, Dave Thompson scripsit:
> > From: owner-openssl-us...@openssl.org On Behalf Of Erwann ABALEA
> > Sent: Thursday, 19 May, 2011 04:20
>
> > Hodie XV Kal. Iun. MMXI, Alex Bergmann scripsit:
> <snip: "renew" CA>
> > > The only way I found was to give the new Root Certificate the same
> > > serial number as the previous one.
> >
> > That's forbidden by X.509 standard. And the serial number has nothing
> > to do with the SKI/AKI.
> >
> There are (at least) two kinds of AuthorityKeyIdentifier.
>
> AKI=SKI identifies only the parent (CA) key (by hash),
> and is ambiguous if CA gets new cert for same key.
>
> AKI=issuerSerial *does* use parent (CA) serial.
You're right, the AKI extension can be populated with these 2
informations (in fact, really 3, but 2 of them are linked together in
the X.509, and not in RFC5280).
--
Erwann ABALEA <erwann.aba...@keynectis.com>
Département R&D
KEYNECTIS
-----
``Do or do not. There is no try."
Yoda
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
