Hi Patrick, The 'keyid' keyword in this case means 'copy from signing cert'. To add arbitrary values to certificate extensions, you must use the 'arbitrary extension format':
http://www.openssl.org/docs/apps/x509v3_config.html#ARBITRARY_EXTENSIONS http://www.openssl.org/docs/crypto/ASN1_generate_nconf.html#GENERATION_STRING_FORMAT HTH, Stefan On 06.05.2013, at 21:07, Patrick Patterson wrote: > The situation is that I want to encode an arbitrary AKI value into a > certificate for test purposes. If I understand everything correctly, the > following should work: > > [ user_with_bad_aki ] > authorityKeyIdentifier = @bad_aki > > [ bad_aki ] > keyid = DER:01:02:03:04:05:06:07:08:09:0A > > > However, when I try this, it appears that I can't override the default > behaviour of copying the SKI from the Signing CA Certificate. -- Stefan H. Holek [email protected] http://pki-tutorial.readthedocs.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
