On Thu, Jul 24, 2014, Hubert Kario wrote: > I have 4 key pairs: > * CA1 > * CA2 > * subCA > * server > > the CA1 and CA2 are self signed root CAs > > subCA has two certificates, one signed by CA1 and one signed by CA2 > > server has a certificate signed by subCA (server.pem file) > and also has Authority Key Identifier with DirName that points to CA1 > (server2.pem file). > > The problem happens when I try to verify the server certificate > using chain that links up to CA1 and one that links to CA2. > > That is: > $ openssl verify -CAfile ca1.pem -untrusted subca-ca1.pem server2.pem > server2.pem: OK > > $ openssl verify -CAfile ca2.pem -untrusted subca-ca2.pem server2.pem > server2.pem: CN = localhost > error 20 at 0 depth lookup:unable to get local issuer certificate > > While > $ openssl verify -CAfile ca2.pem -untrusted subca-ca2.pem server.pem > server.pem: OK > $ openssl verify -CAfile ca1.pem -untrusted subca-ca1.pem server.pem > server.pem: OK > > As far as I know, the Authority Key IDs are supposed just to aid > path resolution, not completely guide it. Is that not correct? >
Yes that's a known limitation with the current AKID handling. If you omit the issuer and serial number part of AKID there should be no problems. > Also, I think that the DirName should point to > /O=Example intermediate CA, not to /CN=CA1 when the ceritifcate > is signed with > authorityKeyIdentifier=keyid:always,issuer:always > extension, doesn't it? > I think that's covered by this: https://www.openssl.org/support/faq.html#USER15 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
