Ok...a touch more information - the problem I think I have
is that the cert I want to validate has a authorityKeyIdentifier,
but none of the certs in the cert stores I am using have a
SubjectKeyIndentifier that matches. I have a rather
exhaustive list of CAs certs scrubbed from the browser
I am currently using (Netscape 4.51), as well as having
checked all the certs in the latest openssl bundle.
My expectation was to see the cert in the Netscape bundle.
Going one step further, the CA in question subsequently
provided me with their certificate, which in turn ALSO
has a keyid in the authorityKeyIdentifier field. Now
I am really puzzled, because:
1) I don't have the CA's cert in my browser, but it
validated everything OK.
2) The CA's cert lists Thawte as the issuing authority,
but the keyid doesn't match the subject id of any
Thawte certificate I have.
3) openssl>verify -CAfile master.list x
ends up failing with:
OpenSSL> verify -CAfile master.list x
x: /C=XX/O=XXXXXXXXX/CN=XXXX's cert name
error 2 at 1 depth lookup:unable to get issuer certificate
I'm presuming that since its at "depth of 1", means that it
can't verify the CA's cert, which I can understand, since I
can't manually validate the #$%^& thing either.
Am I brain dead? What am I missing
Thomas Reinke wrote:
>
> I'm looking for, as a starter, a birds eye view of some
> docs (or high level explanation) of how the X509v3
> extension "Authority Key Identifier" is used to validate
> a certificate within a browser. I have examples of certs that
> I know Netscape considers to be valid, but for which I do not
> have the CA cert in the browser. I've been through a number of
> docs, archives, and the source, to no avail.
>
> Could someone enlighten me as to the basics? A starting
> point is all that I'm looking for, unless someone has
> more time to dispose of ;-)
>
> Thanks, Thomas
> --
> ------------------------------------------------------------
> Thomas Reinke Tel: (416) 460-7021
> Director of Technology Fax: (416) 598-2319
> E-Soft Inc. http://www.e-softinc.com
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
------------------------------------------------------------
Thomas Reinke Tel: (416) 460-7021
Director of Technology Fax: (416) 598-2319
E-Soft Inc. http://www.e-softinc.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
