Hi, I am looking for advice for an application using openssl, but it's not an openssl problem.
We have a situation where an external company has provided us with authentication certificates from a subCA and we have all the cert's back up to the root - openssl verify works fine. Another application we use refuses to accept the subCA certificate - it is throwing an error because there is no subject and serial number in the Authority Key ID Extension, though there is a [valid] key ID. It is my assertion that the issuer name / serial name are optional within this extension so the application stating that this certificate is invalid is incorrect (though they may have further reasons for requiring this if they can't handle KID's, but I think they can). rfc5280 4.2.1.1. Authority Key Identifier The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number. Any opinions would be greatly appreciated. Regards, Carl ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
