>From: owner-openssl-us...@openssl.org On Behalf Of Leon Brits
>Sent: Sunday, 02 June, 2013 10:11
>I have just created a new CA which has the extension to allow
>client authentication. My previous CA worked fine without this
>extension but some client application now requires that I set it.
That doesn't make sense; there are extensions in a client (EE) cert
that might be needed for client-auth, but not in a CA cert. I guess
you mean that verification *by* some client(s) *of* server cert under
a CA cert, requires the CA cert to have the extensions that mark it
as a CA cert (probably BC KU SKI). openssl does not enforce this, but
I believe some implementations do; 3280 and 5280 say the CA MUST
(2119ly) provide them which permits but as far as I can see doesn't
require a relier to demand them, so that's a judgement call.
>So I've created a new client key pair and signed it with the new CA,
>but when I use openssl verify to test it it does not verify.
Aside: you don't need a new client keypair. There's nothing wrong
with issuing a cert under a new CA for an old client key -- with
the same DN if you want, even using the old CSR if you kept it.
OTOH a new keypair is fine also.
>I get the following error:
>$ openssl verify -CAfile CA/cacert.pem client.cert
>stdin: <DN>
>error 20 at 0 depth lookup:unable to get local issuer certificate
>If I look at the new client certificate's chain I get:
<snipped 2x subject&issuer>
Those do look right, unless there are some unprintable characters
or inconsistent encodings or something. If you used openssl (e.g.
'req', 'ca' or 'x509 -req') for everything I wouldn't expect that,
but you might look at the exact DN values in a hexdump or similar.
commandline asn1parse can help you find the right bytes to check.
>The extensions for the CA are now:
>X509v3 extensions:
> X509v3 Subject Key Identifier:
> ED:51:C6:3B:A3:72:B3:F5:33:80:F0:7C:15:FD:CE:FF:6C:B6:07:6A
> X509v3 Authority Key Identifier:
> keyid:ED:51:C6:3B:A3:72:B3:F5:33:80:F0:7C:15:FD:CE:FF:6C:B6:07:6A
>
DirName:/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@loc
alhost
> serial:A4:48:38:09:CB:16:6A:D0
> X509v3 Basic Constraints:
> CA:TRUE
> X509v3 Key Usage:
> Certificate Sign, CRL Sign
There's no need to have AKI in a root, but it shouldn't hurt.
Do you have AKI in the *child* (client) cert? If you do, that must
match the parent (CA) cert SKI or issuer+serial, as applicable.
Any openssl function you use should have set this automatically,
but conceivably something went wrong, and it could cause the
parent-lookup (20) error you got. Check that to be sure.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
