Re: [openssl-users] Requirements for valid CA certs within a cert chain

Sun, 06 Mar 2005 08:03:50 -0800 

Erwann and Steve,

Thanks for all the comments.  Here're a new set of certs where I think
that I've taken care of the points raised by both of you.  I'd
appreciate your review.


This is the self-signed root CA cert.  It is now V3, and has the AKI and
SKI.  It still has "Digital Signature", as I wasn't sure about what to
do with that on the root CA cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c4:37:73:5a:6c:1e:82:64:58:50:5d:ff:8e:85:9e:33
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: [EMAIL PROTECTED], C=US, O=JimDept, OU=JimCo,
CN=ATEST7-ROOT-CA
        Validity
            Not Before: Mar  6 07:26:33 2005 GMT
            Not After : Mar  7 07:26:29 2013 GMT
        Subject: [EMAIL PROTECTED], C=US, O=JimDept, OU=JimCo,
CN=ATEST7-ROOT-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a8:49:49:58:68:34:39:a7:47:6e:fa:ee:b1:7d:
.
<snip>
.
                    e8:8c:d9:fb:bf:11:53:91:25
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Authority Key Identifier: 
               
keyid:11:39:D5:7D:DA:50:4A:8B:69:50:6C:66:19:B1:50:E5:B1:65:99:7C

            X509v3 Subject Key Identifier: 
               
11:39:D5:7D:DA:50:4A:8B:69:50:6C:66:19:B1:50:E5:B1:65:99:7C
    Signature Algorithm: sha1WithRSAEncryption
        6e:28:ca:ca:15:fb:72:b7:02:05:2e:6c:48:b4:1d:a4:63:d6:
.
<snip>
.
        f2:5c


This is the subordinated CA cert, signed by the ROOT CA.  It is now V3
also, and has the AKI and SKI.  It does not have "Digital Signature":

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            14:88:38:8f:bc:9d:f6:51:6d:e6:40:b7:e8:e7:b6:f2
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: [EMAIL PROTECTED], C=US, O=JimDept, OU=JimCo,
CN=ATEST7-ROOT-CA
        Validity
            Not Before: Mar  6 07:30:41 2005 GMT
            Not After : Mar  4 07:27:05 2013 GMT
        Subject: [EMAIL PROTECTED], C=US, O=JimDept, OU=JimCo,
CN=ATEST7-SUBROOT-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:dc:ca:a8:d1:c8:41:91:82:91:fe:d8:c2:8d:2d:
.
<snip>
.
                    8c:b1:b2:de:b8:6c:7a:74:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Authority Key Identifier: 
               
keyid:11:39:D5:7D:DA:50:4A:8B:69:50:6C:66:19:B1:50:E5:B1:65:99:7C

            X509v3 Subject Key Identifier: 
               
65:BA:37:9D:CC:84:A8:2E:66:03:86:B9:0B:53:92:13:7F:95:3F:B8
    Signature Algorithm: sha1WithRSAEncryption
        16:67:f5:93:67:6b:c5:b3:84:5d:fc:1a:05:d4:1e:04:99:80:
.
<snip>
.
        86:0c:53:14:76:f5:b3:2b:e2:6a:78:f6:36:6e:55:21:b2:86:
        6d:20


Finally, just for completeness, this is a client cert that I created
from the subroot CA cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0a:ba:76:83:46:f0:87:10:18:b0:36:b6:98:5e:24:15
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: [EMAIL PROTECTED], C=US, O=JimDept, OU=JimCo,
CN=ATEST7-SUBROOT-CA
        Validity
            Not Before: Mar  6 07:54:13 2005 GMT
            Not After : Mar  1 07:27:49 2013 GMT
        Subject: [EMAIL PROTECTED], C=US, O=JimDept, OU=JimCo,
CN=USER30-ATEST7
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:aa:b0:98:d9:66:4a:fa:7c:73:28:f3:fc:43:cd:
.
<snip>
.
                    53:84:c8:4c:60:f1:48:48:97:15:8e:85:89:5c:ad:
                    9a:aa:76:e7:a2:6b:2e:51:43
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            Netscape Cert Type: 
                SSL Client
            X509v3 Authority Key Identifier: 
               
keyid:65:BA:37:9D:CC:84:A8:2E:66:03:86:B9:0B:53:92:13:7F:95:3F:B8

            X509v3 Subject Key Identifier: 
               
CE:C5:90:0C:70:67:2C:51:67:7D:62:9A:AE:15:56:7D:8D:89:8E:86
    Signature Algorithm: sha1WithRSAEncryption
        d6:9d:10:1e:ec:4c:e1:59:18:16:9b:75:7f:a9:48:12:d1:9e:
.
<snip>
.
        60:4b:9d:8e:ce:46:f6:fb:6c:0d:da:75:e3:63:87:0c:59:f4:
        73:f1

I think that except for possibly the "Digital Signature", these look ok?

The ROOT CA AKI matches the SKI, the SUB ROOT CA AKI matches the ROOT CA
SKI, and the client cert AKI matches the SUB ROOT CA SKI, which I think
is correct also?

I'm not so much concerned about the validity dates for now, because this
is just for a test configuration, but I pushed out the "Not After"
dates.  I probably should have brought the client cert date back, but I
was working on this late last night/early this morning :).

Thanks again, and looking forward to your comments/suggestions...

Jim
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to