Re: [Openca-Users] Adding Pointer to CACert into Certificate

Martin Bartosch Wed, 18 May 2005 23:22:35 -0700

Hi Oli,

> I have a chained Root-Certificate (Root -> UserCA -> Usercertificate)
> and have problems on validating eMail Signatures.
>
> If someone receives my Mail, the MUA complains that there is no valid
> Root Certificate.
> Is there a standard way to inclue a maschine readable reference into the
> certificate/signature, where the CA Certiifcates can be obtained ?


according to RFC 3280, Section 4.2.1.1 such a reference is called
Authority Key Identifier. It can be the literal DN of the CA or the
issuing CA's SHA1 public key hash.
You can set it in the openssl.cnf file thusly:

authorityKeyIdentifier = <[keyid[:always]][, issuer[:always]]>

If you use keyid:always, your CA automatically includes the public
key hash as Authority Key Identifier, which will be automatically
be used instead of issuer name match for certificate chain
verification by RFC conforming clients...

Cheers,

Martin




-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Adding Pointer to CACert into Certificate

Reply via email to