Thanks!
Erwann ABALEA wrote:
On Wed, 20 Nov 2002, Gerd Schering wrote:
I have the following CA/cert hierachy:
rootca -> serverca -> servercert
when I look at the authorityKeyIdentifier in the servercert I see:
keyid: O.K.
serial: O.K.
but DirName is NOT the DirName of the serverca but the one of the rootca!
This seems to me to be wrong.
No, it's correct. There has been a thread on openssl-dev some days ago.
You should carefully read the RFC. If you still think OpenSSL is wrong,
then read the RFC again, and again, and again... ;)
Well, I'll try my very best :-)
To explain it easily, the authorityKeyIdentifier of servercert is here to
find the right certificate for serverca. The certificate for serverca can
be identified by the issuer name of serverca (that is, rootca), and the
serial number of serverca (which is unique among all the certificates
signed by rootca).
This seems reasonable.
But the documentation, i.e. openssl.txt is somewhat missleading:
...
Authority Key Identifier.
[...]
The issuer option copies the issuer and serial number from the issuer
certificate.
From this I expected the serial number from the root cert.
Gerd
--
------------------------------------------------------
-- Gerd Schering, Email: [EMAIL PROTECTED] --
------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
