----- Original Message ----- > From: "Dr. Stephen Henson" <[email protected]> > To: [email protected] > Sent: Thursday, 24 July, 2014 2:58:00 PM > Subject: Re: Problems with cross-signed certificates and Authority Key Info > > On Thu, Jul 24, 2014, Hubert Kario wrote: > > > I have 4 key pairs: > > * CA1 > > * CA2 > > * subCA > > * server > > > > the CA1 and CA2 are self signed root CAs > > > > subCA has two certificates, one signed by CA1 and one signed by CA2 > > > > server has a certificate signed by subCA (server.pem file) > > and also has Authority Key Identifier with DirName that points to CA1 > > (server2.pem file). > > > > The problem happens when I try to verify the server certificate > > using chain that links up to CA1 and one that links to CA2. > > > > That is: > > $ openssl verify -CAfile ca1.pem -untrusted subca-ca1.pem server2.pem > > server2.pem: OK > > > > $ openssl verify -CAfile ca2.pem -untrusted subca-ca2.pem server2.pem > > server2.pem: CN = localhost > > error 20 at 0 depth lookup:unable to get local issuer certificate > > > > While > > $ openssl verify -CAfile ca2.pem -untrusted subca-ca2.pem server.pem > > server.pem: OK > > $ openssl verify -CAfile ca1.pem -untrusted subca-ca1.pem server.pem > > server.pem: OK > > > > As far as I know, the Authority Key IDs are supposed just to aid > > path resolution, not completely guide it. Is that not correct? > > > > Yes that's a known limitation with the current AKID handling. If you omit the > issuer and serial number part of AKID there should be no problems.
Is there an rt ticket that tracks it? > > Also, I think that the DirName should point to > > /O=Example intermediate CA, not to /CN=CA1 when the ceritifcate > > is signed with > > authorityKeyIdentifier=keyid:always,issuer:always > > extension, doesn't it? > > > > I think that's covered by this: > > https://www.openssl.org/support/faq.html#USER15 yes, that's exactly it. Thank you. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
