On 7/3/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Mon, Jul 03, 2006, snacktime wrote:
> Well I figured out what's happening. The reason windows was
> complaining about the certificate is that the subjectkeyidentifier was
> getting set to the same value as authoritykeyidentifier. Firefox
> didn't pick up on this, but windows did. I was creating the
> subjectkeyidentifier before the subject was set. Now why openssl
> inserted the authoritykeyidentifier for the subjectkeyidentifier I'm
> not sure. My best guess is that it got in a state where it thought
> the certificate was self signed?
>
That would explain it. MSIE considers the SKID/AKID (if present) as the
primary way to process certificate chains. OpenSSL uses subject and issuer
names first then SKID/AKID. Firefox may either ignore SKID/AKID or just use it
as a (non mandatory) hint.
The value OpenSSL uses for AKID depends on the configuration file and the
supplied V3 context. Also see the FAQ for details about AKID: many people have
asked in the past why it is set to an "incorrect" value.
But in this case it is the SKID that is incorrect. Wouldn't it be
considered a bug to set the SKID the same as AKID just because the
subject was null? Seems like that should throw an error instead.
Chris
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
