Makes perfectly sense. Thank you.
> Am 25.03.2020 um 18:49 schrieb Viktor Dukhovni :
>
> On Wed, Mar 25, 2020 at 05:47:01PM +0100, Dirk wrote:
>
My expectation (maybe wrong) is that the serial and the issuer name belong
to
the same X509 certificate that the key id belongs to.
On Wed, Mar 25, 2020 at 05:47:01PM +0100, Dirk wrote:
> >> My expectation (maybe wrong) is that the serial and the issuer name belong
> >> to
> >> the same X509 certificate that the key id belongs to.
> >
> > Your expectation is "wrong". The issuer DN in the AKID is in fact
> > supposed to be
Thank you Victor. Can you point me to the rfc that defines this?
Best
Am 25.03.2020 um 15:32 schrieb Viktor Dukhovni :
>
>
>>
>> On Mar 24, 2020, at 11:12 AM, Dirk Menstermann wrote:
>>
>> My expectation (maybe wrong) is that the serial and the issuer name belong to
>> the same X509
> On Mar 24, 2020, at 11:12 AM, Dirk Menstermann wrote:
>
> My expectation (maybe wrong) is that the serial and the issuer name belong to
> the same X509 certificate that the key id belongs to.
Your expectation is "wrong". The issuer DN in the AKID is in fact
supposed to be the issuer's
Hi,
I’m using OpenSSL 1.1.1 to issue a certificate and include the AKI by defining
authorityKeyIdentifier = keyid,issuer:always
The issued certificate contains the AKI afterwards with 3 values:
KeyID: issuer's key id
Serial: issuer's serial
Issuer: the issuer’s issuer, not the issuer’s