On Mon, Jul 03, 2006, snacktime wrote: > Well I figured out what's happening. The reason windows was > complaining about the certificate is that the subjectkeyidentifier was > getting set to the same value as authoritykeyidentifier. Firefox > didn't pick up on this, but windows did. I was creating the > subjectkeyidentifier before the subject was set. Now why openssl > inserted the authoritykeyidentifier for the subjectkeyidentifier I'm > not sure. My best guess is that it got in a state where it thought > the certificate was self signed? >
That would explain it. MSIE considers the SKID/AKID (if present) as the primary way to process certificate chains. OpenSSL uses subject and issuer names first then SKID/AKID. Firefox may either ignore SKID/AKID or just use it as a (non mandatory) hint. The value OpenSSL uses for AKID depends on the configuration file and the supplied V3 context. Also see the FAQ for details about AKID: many people have asked in the past why it is set to an "incorrect" value. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]