> let's see... you're talking about the authorityKeyIdentifier? I > thought that that went up 2 steps up the tree and then gave a serial > number of cert issued by that CA.
No, it identifies the key that is signing the actual cert (or CRL). A CA's subject key identifier (SKI) gets populated as the AKI into everything it signs. /r$ -- SOA Appliance Group IBM Application Integration Middleware ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]