On 02-03-19 23:05:52 CET, Dr S N Henson wrote: > I can't see how that can happen. The ca command only passes the issuing > CA certificate to the extension routines. It does not have access to any > other CA certificate. It fills in the authority key identifier by > extracting the issuer name of that issuing authority and its serial > number.
but it seems that it indeed does happen. > Is the issuer name of the CA correct? > > If there's nothing obviously wrong can you send me an example of a user > certificate exhibiting this behaviour and all the CA certificates too? the user cert has the user CA's DN in the issuer DN (CN=User CA) and the root CA's DN in the authority key identifier "DirName" (CN=Test-CA (G4)), see the attached example. but the user cert's authority key identifier "keyid" is the user CA cert's subject key identifier and the user cert's authority key identifier "serial" is the user CA cert's serial. ((i ask myself) what's that "X509v3 Authority Key Identifier" exactly anyway...?) rj
example.tar
Description: Unix tar archive
