On Wed, 20 Nov 2002, Gerd Schering wrote: > Erwann ABALEA wrote: > > > To explain it easily, the authorityKeyIdentifier of servercert is here to > > find the right certificate for serverca. The certificate for serverca can > > be identified by the issuer name of serverca (that is, rootca), and the > > serial number of serverca (which is unique among all the certificates > > signed by rootca). > > This seems reasonable. > But the documentation, i.e. openssl.txt is somewhat missleading: > ... > Authority Key Identifier. > [...] > The issuer option copies the issuer and serial number from the issuer > certificate. > > From this I expected the serial number from the root cert.
And you misread the documentation. I'm sure you'll also misread the RFC and the X.509 at your first try. It seems you're doing a false simplification here. You're not alone. Microsoft developers seem to have done it also ;) In the text you extracted from the OpenSSL documentation: "The issuer option copies the issuer and serial number from the issuer certificate.", the first 'issuer' word is the issuer name. The issuer name from the issuer certificate is the grand-father name of the current certificate (here, the rootca name), and the serial number from the issuer certificate is exactly that, the serial number of the issuer certificate. The most common simplification is to change 'the issuer name of the issuer certificate' to 'the issuer name of the current certificate', which gives a false impression that OpenSSL is wrong when building the AKI extension. In fact, the text of the OpenSSL documentation is even more intuitive and less error prone than the RFC and X.509 documents. In that point, it is better. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 ----- Against stupidity, the Gods themselves, contend in vain! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
