On Mon, Aug 30, 2010, Toms Tormo wrote:

> Finally, I checked the Authority Key Identifier of the EE certificate but 
> it looks good to me...
> /[amsterdam:/test]# openssl x509 -in admesigna.cer -text
> keyid:B2:D2:89:54:6C:14:8E:84:CC:F4:DA:26:6A:45:9C:27:A9:5C:02:CF
>                 DirName:/C=ES/O=AC Indenova SL - CIF 
> B97458996/OU=http///www.indenova.com/CN=AC Indenova
>                 serial:14:19:C1:49:C9:86:CB:CC*
> Could anybody give me some clue about this?
> Thank you very much.

If you include the -issuer_checks option you can soon diagnose the problem.
You will see lots of messages about subject issuer mismatches: that's normal.
Anything else may indicate a problem. In this case you get:

error 31 at 0 depth lookup:authority and issuer serial number mismatch

That is specifically indicating a problem with AKID. Looking above I can see
"http///" in AKID.

I'd actually recommend not including the issuer and serial number in AKID if
you can and just using the keyid option. Newer OpenSSL default configuration
files do that.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to