RE: Authority Key ID Extension

Yes, it's definitely optional. The most common keyIdentifier's that I have seen are based, well, on the key :) /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz _

Re: Authority Key ID Extension

e have all the cert's back up > to the root - openssl verify works fine. Another application we use refuses > to accept the subCA certificate - it is throwing an error because there is > no subject and serial number in the Authority Key ID Extension, though there > is a [valid] k

Authority Key ID Extension

e. Another application we use refuses to accept the subCA certificate - it is throwing an error because there is no subject and serial number in the Authority Key ID Extension, though there is a [valid] key ID. It is my assertion that the issuer name / serial name are optional within this extens

Re: The Authority Key ID extension

2008/9/11 Kyle Hamilton <[EMAIL PROTECTED]> > If you're getting pronounced jitter on your client machines, I'd > suggest two things: > > 1) install ntp clients on them, and > 2) create your client certificates with a notBefore date of (now - 10m). > That's exactly what I did. In fact, I synchroni

Re: The Authority Key ID extension

If you're getting pronounced jitter on your client machines, I'd suggest two things: 1) install ntp clients on them, and 2) create your client certificates with a notBefore date of (now - 10m). The concept of 'time' is that there is One True Time. The problem is that the One True Time is difficu

Re: The Authority Key ID extension

Hello, Sorry for the delay, I had some problem with... "delays" :). I have carefully read all of the suggestions from Kyle and Patrick. However, the serial issue was the most flagrant, definitely and I have immediately defined one. Concerning the other suggestions (KU, EKU, AKI), I agree with them

Re: The Authority Key ID extension

All certificates issued by a given signer must have different serial numbers. Having both be serial number 0 violates this constraint. (If you look at the serial number as being the 'primary key' into the database of issued certificates by a given authority, this constraint makes sense.) -Kyle H

Re: The Authority Key ID extension

Hi Silviu: On September 8, 2008 11:38:22 am Silviu VLASCEANU wrote: > Thanks a lot for both answers, they were very helpful; however, it was > easier for me to use Pierre's method. > > Although I managed to add the AKID, the verification of the endhost > certificate's context with X509_verify_cert

Re: The Authority Key ID extension

Thanks a lot for both answers, they were very helpful; however, it was easier for me to use Pierre's method. Although I managed to add the AKID, the verification of the endhost certificate's context with X509_verify_cert() says the certificate it's not YET valid and: X509_verify_cert failed: erro

Re: The Authority Key ID extension

Silviu VLASCEANU wrote: Hi, Sorry to bother again, but I still haven't found how to add the Authority Key ID to a certificate, using openssl. Please, I need some help with this. The details are below. Thank you in advance, -- Silviu 2008/9/3 Silviu VLASCEANU <[EMAIL PROTECTED]

Re: The Authority Key ID extension

On Mon, Sep 08, 2008, Silviu VLASCEANU wrote: > Hi, > > Sorry to bother again, but I still haven't found how to add the Authority > Key ID to a certificate, using openssl. > Please, I need some help with this. The details are below. > Two ways, one is manually the other using the extension conf

The Authority Key ID extension

Hi, Sorry to bother again, but I still haven't found how to add the Authority Key ID to a certificate, using openssl. Please, I need some help with this. The details are below. Thank you in advance, -- Silviu 2008/9/3 Silviu VLASCEANU <[EMAIL PROTECTED]> > Hello everybody, > > I need to copy t

Adding the Authority Key ID extension to a certificate

Hello everybody, I need to copy the Subject Key ID (SKID) from the CA certificate to the Authority Key ID (AKID) of a new certificate. I have extracted the SKID with AUTHORITY_KEYID *akid = X509_get_ext_d2i(ca_cert, NID_subject_key_identifier, NULL, NULL); How can I "put" akid in an X509_EXTENSI