Well, there's more to it than that.Yes, I also deceided to go with b) as a) only detects renewal of keys - not of certs.
An Authority Key Identifier extension can contain a) the value of the issuer cert's "Subject Key Identifier", or
b) The value of the issuer cert's Issuer name and serial number, or
c) both.
Most commercial CAs do a, some do b. AFAIK, none do c.
b and c are less flexible than a because having the issuer's serial number
in it doesn't accomodate CA cert renewal.
There's some program that people are using to create their own certs thatCheckout the attached p12 if you want (PW is 1234), it's a c) type PKI generated with openssl. I guess there is a bunch of people using such a combination b/c in the man page about creating a cert request this combination is suggested in one of the example configuration files.
does c. I'd like to know what program that is.
Please tell me what program you used to create your certs, or, if you got
them from a CA, what CA you got them from. Thanks.
You may want to checkout the page
www.openssl.org/docs/apps/req.html#CONFIGURATION_FILE_FORMAT
The relevant section is
<<<
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
>>>
Hope this helps,
Michael
tester-20021027.p12
Description: application/pkcs12
