Hodie XIV Kal. Iun. MMXI, Dave Thompson scripsit: > > From: owner-openssl-us...@openssl.org On Behalf Of Erwann ABALEA > > Sent: Thursday, 19 May, 2011 04:20 > > > Hodie XV Kal. Iun. MMXI, Alex Bergmann scripsit: > <snip: "renew" CA> > > > The only way I found was to give the new Root Certificate the same > > > serial number as the previous one. > > > > That's forbidden by X.509 standard. And the serial number has nothing > > to do with the SKI/AKI. > > > There are (at least) two kinds of AuthorityKeyIdentifier. > > AKI=SKI identifies only the parent (CA) key (by hash), > and is ambiguous if CA gets new cert for same key. > > AKI=issuerSerial *does* use parent (CA) serial.
You're right, the AKI extension can be populated with these 2 informations (in fact, really 3, but 2 of them are linked together in the X.509, and not in RFC5280). -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS ----- ``Do or do not. There is no try." Yoda ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org