Hi guys, I'm having problems using a certificate which I signed using my own CA (self-signed) certificate. Whenever this 'sub-ca' certificate is used to sign a certification request I'm getting the following error:
19343:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get issuer keyid:v3_akey.c:210: 19343:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:91:name=authorityKeyIdentifier, value=keyid:always,issuer:always By checking this error message (and lots of reading) I narrowed it down to the following statement in my openssl.cnf: authorityKeyIdentifier = keyid:always,issuer:always Whenever I remove the "keyid:always" my problems are solved and I can go ahead with authorizing the certificate request. The only problem which remains is that I fail to understand whats going on. The error says its unable to get the issuer keyid, but it seems to be able to get the issuer (id?) itself without problems. Now... From what I understand so far I suspect that whenever I try to sign a request 'authorityKeyIdentifier' tells OpenSSL how to identify the authority of the used certificate. In my case it needs to travel up the chain by 1 step but for some reason fails on the keyid. When trying to solve this I started with the 'verify' program and it told me that it had a problem with looking up the local issuer. I solved that by placing the 'hash'.0 of my root certificate in my global certs directory. Still, this did not solve the above problem. After reading this list the only thing which came a bit close to this was a posting of 2002-03-19 and 2002-11-04 but unfortunatly it couldn't help me to understand. Can any of you provide me with some background on this ? Thanks in advance! -- Groetjes, Peter .\\ PGP/GPG key: http://www.catslair.org/pubkey.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
