Re: Authority Key and Verifying a Cert

Tue, 5 Oct 1999 14:56:55 -0700 

Thomas Reinke wrote:
> 
> Ok...a touch more information - the problem I think I have
> is that the cert I want to validate has a authorityKeyIdentifier,
> but none of the certs in the cert stores I am using have a
> SubjectKeyIndentifier that matches. I have a rather
> exhaustive list of CAs certs scrubbed from the browser
> I am currently using (Netscape 4.51), as well as having
> checked all the certs in the latest openssl bundle.
> 
> My expectation was to see the cert in the Netscape bundle.
> 
> Going one step further, the CA in question subsequently
> provided me with their certificate, which in turn ALSO
> has a keyid in the authorityKeyIdentifier field. Now
> I am really puzzled, because:
> 
>    1) I don't have the CA's cert in my browser, but it
>       validated everything OK.
>    2) The CA's cert lists Thawte as the issuing authority,
>       but the keyid doesn't match the subject id of any
>       Thawte certificate I have.
>    3) openssl>verify -CAfile master.list x
>       ends up failing with:
> 
>     OpenSSL> verify -CAfile master.list x
>     x: /C=XX/O=XXXXXXXXX/CN=XXXX's cert name
>     error 2 at 1 depth lookup:unable to get issuer certificate
> 
> I'm presuming that since its at "depth of 1", means that it
> can't verify the CA's cert, which I can understand, since I
> can't manually validate the #$%^& thing either.
> 
> Am I brain dead? What am I missing
> 

What kind of certificate is it SSL server, S/MIME or what? Its possible
that you are getting the leaf certificate and an untrusted subordinate
certificate and Netscape is doing chain verification to the trusted
root.

If so then you'll need the subordinate CA in order to check it with
OpenSSL.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to