Ok, the idea behind the AKI seems clear to me.
The AKI in the subCA has to point to the RootCA to allow to choose the right certificate if there exist multiple keys (and certificates) for this RootCA.
But similarly the AKI field of the webserver certificate (issued by the SubCA ) would have to point to the SubCA to select the right certificate if the SubCA has multiple key pairs.
And exactly here is my problem: the AKI field in the webserver certifcate does not point to the SubCA but to the RootCA which seems illogical to me as a software would have to check this field to find the correct SubCA certifcate and then the AKI field of the SubCA certificate to find the correct RootCA certificate.
So in my opinion the correct implementation would be:
SubCA certifcate (issued by RootCA): AKI field points to correct RootCA certificate
Web Server certificate (issued by SubCA): AKI field points to correct SubCA certifcate (in openCA this points to RootCA certifcate again)
So, does openCA really always set the AKI to point to the RootCA (even if the certificate was issued by a SubCA) or is my installation of openCA going crazy?
Pierre
_________________________
Pierre Scholtes
Unicible
tel: +41 (0)21 644 6111
fax: +41 (0)21 644 6300
mailto:[EMAIL PROTECTED]
http://www.unicible.ch
| [EMAIL PROTECTED]
07.07.2003 14:08 |
Pour : Pierre Scholtes <[EMAIL PROTECTED]> cc : Objet : Re: [Openca-Users] R�f. : Re: [Openca-Users] Authorithy Keyidentifier |
When a system has several roots embedded in the certificate root cache, the subCA auth KID points to the root cert to use for validation of the hierarchy chain. Since its possible for several valid roots to have the same distinguished name, the auth KID points to the exact root cert.
Bill
Pierre Scholtes wrote:
Sorry, I did not completely understand your answer.
What is correct: my understanding or the behaviour of openCA.
I reformulate my question:
Why does a SubCA put the info of the RootCA into the authority key identifier
field and not its own info?
Thanx
Pierre
_________________________
Pierre Scholtes
Unicible
tel: +41 (0)21 644 6111
fax: +41 (0)21 644 6300
mailto:[EMAIL PROTECTED]
http://www.unicible.ch
| [EMAIL PROTECTED]
Envoy� par : [EMAIL PROTECTED] 07.07.2003 13:22 | Pour : Pierre Scholtes <[EMAIL PROTECTED]> cc : [EMAIL PROTECTED] Objet : Re: [Openca-Users] Authorithy Key identifier |
Pierre Scholtes wrote:
Hi
I have a question about the authorithy key identifier field in the certificates.
I have set up an test enviroment with a RootCA and a SubCA.
If I correctly understood the aim of the authority key identifier field,
this field contains the id of the public key corresponding to the private
key that signed the certificate.
Now I found out that in all certificates I issue on my SubCA, the authority
key field contains the info of my RootCA and not of my SubCA??
(I'm using openCA 0.9.1-1)
Can someone give me a hint. What behaviour is correct?
Pierre
Correct.
