> From: owner-openssl-us...@openssl.org On Behalf Of Peter Lin > Sent: Wednesday, 01 June, 2011 04:35
> I am having a similar problem here: <history snipped> > For some reason I need to renew/extend a intermediate certificate > within a chain. Without setting the old serial number, all its > descending certs verification will fail when use 'openssl verify'. and, probably more important, will fail when verifying an SSL/TLS connection, or AFAIK any other real use such as verifying SMIME. (Aside: "descendant" not "descending") > So the question is: Is there anyway to issuing a new signing certificate > with a different serial number but not breaking the original chain? DON'T include AKI=Issuer&Serial when issuing the child cert(s). Use only AKI=SKI or no AKI at all. For 'openssl ca', this is config authorityKeyIdentifier = keyid or omitted but not issuer. If a child cert is already issued with AKI=issuer&serial, the new parent (stepparent?) cert must have same issuer & serial, otherwise you must re-issue the child cert(s). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org