On Fri, Jun 13, 2014, Carl Young wrote:
>
> Hi,
>
> I am looking for advice for an application using openssl, but it's not an
> openssl problem.
>
> We have a situation where an external company has provided us with
> authentication certificates from a subCA and we have all the cert's back up
> to the root - openssl verify works fine. Another application we use refuses
> to accept the subCA certificate - it is throwing an error because there is
> no subject and serial number in the Authority Key ID Extension, though there
> is a [valid] key ID.
>
> It is my assertion that the issuer name / serial name are optional within
> this extension so the application stating that this certificate is invalid
> is incorrect (though they may have further reasons for requiring this if
> they can't handle KID's, but I think they can).
>
I agree. At least one of keyid and issuer+serial must be present but
issuer+serial is not mandatory.
Also from RFC5280:
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
-- authorityCertIssuer and authorityCertSerialNumber MUST both
-- be present or both be absent
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
