Firstly thank you for the extensive debug information
No!! Thank you very much for your quick answer/reply!!
Specifically the authority key identifier of the EE certificate is incorrectly
set, though it is set correctly for other certificates in the chain.
I've been checking the Authority key Identifier of all certificates and
I think I know what you mean. I can see that all certificates (but root
and EE) have:
- Subject Key Identifier of its parent
- *subject of the issuer of it's issuer (in case of racer.pem, the
subject of Global.pem)*
- serial number of its parent
meanwhile the EE certificate has:
- Subject Key Identifier of its parent
- *subject of its parent*
- serial number of its parent
Is it the problem? Because It's a bit confusing for me... as far as I
understand from the link you gave me (and the RFC 5280, which says
practically the same), the EE of a certificate chain must identify its
parent by means of the AKID.
Following the openssl FAQ example, C certificate must identify the
authority certificate B with the AKID. This can be done either by
including *the subject key identifier of B* or *its issuer name and
serial number* (of B?).
In my case, the EE certificate has the right subject key Identifier
(racer's subject key identifier), right serial number (racer's serial
number), but wrong issuer name (should be ACCamerfirma's subject instead
of racer's serial number). Am I right? If one of the conditions is right
(subject Key Identifier), shouldn't it validate anyway?
Thank you very much.
On 25/08/10 14:59, Dr. Stephen Henson wrote:
On Wed, Aug 25, 2010, Toms Tormo wrote:
Honestly, I have no idea what I'm doing wrong.. I've checked all the
requirements OpenSSL needs and the certificates fulfill them all...
Could you please help me? I'm getting desperate...
Firstly thank you for the extensive debug information, all too often essential
details are left out making it impossible to diagnose the problem.
In your case checking the first CA against the rest succeeds while the EE
certificate fails. That indicates a problem with the EE certificate.
What you are hitting is mentioned here:
http://www.openssl.org/support/faq.html#USER15
Specifically the authority key identifier of the EE certificate is incorrectly
set, though it is set correctly for other certificates in the chain.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
tto...@indenova.com
http://www.indenova.com
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos
firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
