In experimenting with setting up "layers" of certificates, I have noticed
that the details for the "Issuer" in a user certificate appear to be set
incorrectly. In this exercise, I have a root CA, email CA (signed by the
root CA) and a user certificate (signed by the email CA). In the user cert.,
I have some "X509v3 extensions" which include "X509v3 Authority Key Identifier".
The keyid for this field matches the email CA *BUT* the DirName is that for
the root CA. Netscape appears not to notice this *BUT* IE does :-/
In openssl.cnf, I have the following:
[ usr_cert ]
...
# PKIX recommendations harmless if included in all certificates.
#subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
I suspect that "issuer:always" should not be there ? Heck, are there any
*good* docs on how to properly construct and write an openssl.cnf file ?
To my mind, the current behaviour (if intended) is at least not obvious in
its intent from the configuration file or (at worst?) bringing in the wrong
information. Or am I missing something obvious here ?
Thanks,
Darren
--
Darren Reed Senior Software Engineer
[EMAIL PROTECTED] http://www.optimation.com.au
Phone: +61 3 9525 2111 Fax: +61 3 9521 1733
Level 9 West, 608 St Kilda Rd, 3004, Melbourne, Victoria, Australia
X509v3 extensions
S/MIME Cryptographic Signature
