Robert Joop wrote: > > > the user cert has the user CA's DN in the issuer DN (CN=User CA) and > the root CA's DN in the authority key identifier "DirName" (CN=Test-CA > (G4)), see the attached example. > but the user cert's authority key identifier "keyid" is the user CA > cert's subject key identifier and the user cert's authority key identifier > "serial" is the user CA cert's serial. > ((i ask myself) what's that "X509v3 Authority Key Identifier" exactly > anyway...?) >
The extension is meant as a way of uniquely identifying the issuing authority of a certificate. The subject and issuer names don't have to be unique and this extension is to resolve ambiguity. Two ways to identify a certificate are by its subject key identifier extension or its issuer name and serial number. The relevant standards say that issuer name and serial number *must* be unique. What you've got in those certificates is exactly as it should be. For the end user certicate there is: X509v3 Authority Key Identifier: keyid:6B:2B:4B:20:1D:72:8F:1E:B7:9E:98:BC:6B:9F:D4:09:D7:EB:72:AD DirName:/C=DE/L=Berlin/O=Fraunhofer-Gesellschaft/OU=FOKUS/OU=PLATIN/CN=Test-CA (G4)[EMAIL PROTECTED] serial:02 If you then look at the CA that signed this certificate using: openssl x509 -in userCA\cacert.pem -noout -issuer -serial issuer= /C=DE/L=Berlin/O=Fraunhofer-Gesellschaft/OU=FOKUS/OU=PLATIN/CN=Test-CA (G4)[EMAIL PROTECTED] serial=02 it matches what you get above. Because this CA is signed by the root CA what you get in here is also the subject and issuer DNs of the root CA. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
