Hi,
I have a problem with the authorityKeyIdentifier and the
issuerAlternativeName.
I want to establish the following hierarchy:
DFN -> HU-CA -> RZ-DCA
The certificates of the DFN and the HU-CA have no problems but if I try
to issue the certificate of RZ-DCA with the HU-CA via "openssl ca" then
I get several problems:
Configuration:
--------------
authorityKeyIdentifier = keyid:always,issuer:always
issuerAltName = issuer:copy
This results in the following (Cert of RZ-DCA):
authorityKeyIdentifier: data from the DFN
issuerAltName: <EMPTY>
Are there any hints what I'm doing wrong?
Thanks in advance Michael
P.S. the version is OpenSSL 0.9.6b on SuSE 7.3
--
-------------------------------------------------------------------
Michael Bell Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email: [EMAIL PROTECTED]
Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax: +49 (0)30-2093 2959
10099 Berlin
Germany [OpenCA Core Developer]
http://www.openca.org
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, O=Humboldt-Universitaet zu Berlin, CN=HU-CA [sign
only][EMAIL PROTECTED]
Validity
Not Before: Dec 19 13:11:07 2001 GMT
Not After : Dec 19 13:11:07 2003 GMT
Subject: C=DE, O=Humboldt-Universitaet zu Berlin, OU=Rechenzentrum, CN=RZ-DCA
[sign only][EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:de:2c:19:18:01:9d:b0:e9:ce:a6:37:75:7e:60:
35:e0:ca:fd:73:de:93:32:1b:1e:bf:34:f7:6f:ed:
35:ec:d6:06:1b:d7:49:e7:a3:b1:0d:db:94:66:03:
24:0b:53:c2:60:d5:71:34:42:f6:9a:fe:f8:2a:a9:
ce:23:23:95:e3:a0:3f:cf:6d:46:10:fc:b8:26:c4:
48:de:0a:74:4f:42:cc:cb:16:a8:94:da:d7:bd:55:
30:5a:f6:f0:dc:f0:18:a9:a4:c1:ee:a9:9a:e0:3e:
dd:8d:97:50:87:3b:d3:bb:ef:43:ab:75:e8:7e:4d:
7b:dc:b4:a8:01:b1:d6:24:d9:f8:62:1d:8d:5d:d3:
1a:16:15:80:f2:b9:28:11:6f:93:28:c1:48:82:32:
0f:7a:72:b7:99:50:6f:53:f1:d1:7e:14:68:23:22:
d0:2b:93:98:8f:d4:a7:47:b3:31:8c:54:77:23:49:
02:5c:1f:76:93:29:f0:45:e4:e6:46:6c:96:f6:4c:
0d:c7:94:a9:43:28:d6:22:a4:1d:8c:8e:c5:48:5b:
9a:88:97:26:be:3a:1f:3f:2e:ea:a6:a3:2a:82:94:
27:73:a4:b2:05:c4:0a:ad:e4:7a:d2:98:a5:58:87:
70:17:cc:8b:a4:54:c5:8c:b8:11:c3:34:54:c6:2b:
cf:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
CD:42:BA:8D:5A:07:E2:B2:0A:C6:B3:EB:03:F5:4E:1B:21:10:BC:D5
X509v3 Authority Key Identifier:
keyid:9D:C5:EA:3F:42:AC:0A:60:A5:28:10:63:48:5D:6E:38:CA:65:87:FD
DirName:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-CERT
GmbH/OU=DFN-PCA/CN=DFN Toplevel Certification [EMAIL PROTECTED]
serial:24:A8:84
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Subject Alternative Name:
email:[EMAIL PROTECTED]
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 CRL Distribution Points:
URI:https://ca.hu-berlin.de/hu-ca/crl/hu-ca-crl.crl
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
Humboldt-Universitaet zu Berlin, HU-CA, erstellt mit OpenSSL
(http://www.openssl.org/)
Netscape SSL Server Name:
ca.hu-berlin.de
Netscape Base Url:
https://ca.hu-berlin.de
Netscape CA Revocation Url:
https://ca.hu-berlin.de/hu-ca/crl/hu-ca-crl.crl
Netscape Revocation Url:
https://ca.hu-berlin.de/hu-ca/crl/hu-ca-crl.crl
Netscape CA Policy Url:
https://ca.hu-berlin.de/hu-ca/hu-ca-policy.html
Signature Algorithm: sha1WithRSAEncryption
19:d9:0c:87:06:f0:40:23:90:be:7e:78:86:c0:84:95:1c:b9:
59:13:82:e9:e7:f6:25:e1:35:17:c9:64:c1:f7:56:18:ed:f5:
41:46:24:0c:28:19:c8:32:6e:e5:03:e8:bf:19:c3:03:33:fa:
48:f1:f6:4a:f0:cb:d1:9c:d0:ea:e8:a9:a1:20:e5:12:34:17:
bc:e8:e6:5f:f2:32:51:e9:0c:22:fe:97:44:63:f3:eb:a1:6a:
5d:9b:c2:46:0c:f3:2e:42:fc:78:d4:b4:eb:41:2f:30:03:29:
18:1e:8d:f6:3d:7b:aa:63:f7:df:d7:a9:ea:c6:8b:df:77:6c:
18:b5:9a:59:4d:0c:30:fd:44:38:ed:90:a9:ed:c6:d7:c6:cd:
ab:81:35:bf:f9:f4:9b:d8:3a:1a:9f:3a:57:55:6d:19:2b:a2:
38:77:c8:9b:db:6c:76:21:f9:fb:11:ee:7d:7a:04:b4:e7:1e:
50:c6:75:3e:c1:2b:34:56:39:27:e2:08:f2:2d:b7:27:92:10:
f1:9c:11:f8:b0:51:15:4d:87:d7:ee:45:37:3f:85:c0:c2:a5:
b0:de:b0:1c:a8:09:a7:f0:bb:a1:fc:4b:bd:f9:0a:8a:68:a7:
1e:cd:67:c5:a4:aa:34:ba:b0:65:47:bf:22:8f:a5:17:49:25:
4a:ca:3b:5e
-----BEGIN CERTIFICATE-----
MIIGmzCCBYOgAwIBAgIBATANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJERTEo
MCYGA1UEChMfSHVtYm9sZHQtVW5pdmVyc2l0YWV0IHp1IEJlcmxpbjEaMBgGA1UE
AxQRSFUtQ0EgW3NpZ24gb25seV0xJDAiBgkqhkiG9w0BCQEWFWh1LWNhQHJ6Lmh1
LWJlcmxpbi5kZTAeFw0wMTEyMTkxMzExMDdaFw0wMzEyMTkxMzExMDdaMIGTMQsw
CQYDVQQGEwJERTEoMCYGA1UEChMfSHVtYm9sZHQtVW5pdmVyc2l0YWV0IHp1IEJl
cmxpbjEWMBQGA1UECxMNUmVjaGVuemVudHJ1bTEbMBkGA1UEAxQSUlotRENBIFtz
aWduIG9ubHldMSUwIwYJKoZIhvcNAQkBFhZyei1kY2FAcnouaHUtYmVybGluLmRl
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3iwZGAGdsOnOpjd1fmA1
4Mr9c96TMhsevzT3b+017NYGG9dJ56OxDduUZgMkC1PCYNVxNEL2mv74KqnOIyOV
46A/z21GEPy4JsRI3gp0T0LMyxaolNrXvVUwWvbw3PAYqaTB7qma4D7djZdQhzvT
u+9Dq3Xofk173LSoAbHWJNn4Yh2NXdMaFhWA8rkoEW+TKMFIgjIPenK3mVBvU/HR
fhRoIyLQK5OYj9SnR7MxjFR3I0kCXB92kynwReTmRmyW9kwNx5SpQyjWIqQdjI7F
SFuaiJcmvjofPy7qpqMqgpQnc6SyBcQKreR60pilWIdwF8yLpFTFjLgRwzRUxivP
HwIDAQABo4IDETCCAw0wHQYDVR0OBBYEFM1Cuo1aB+KyCsaz6wP1ThshELzVMIHb
BgNVHSMEgdMwgdCAFJ3F6j9CrApgpSgQY0hdbjjKZYf9oYGypIGvMIGsMQswCQYD
VQQGEwJERTEhMB8GA1UEChMYRGV1dHNjaGVzIEZvcnNjaHVuZ3NuZXR6MRYwFAYD
VQQLEw1ERk4tQ0VSVCBHbWJIMRAwDgYDVQQLEwdERk4tUENBMS0wKwYDVQQDEyRE
Rk4gVG9wbGV2ZWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxITAfBgkqhkiG9w0B
CQEWEmNlcnRpZnlAcGNhLmRmbi5kZYIDJKiEMA8GA1UdEwEB/wQFMAMBAf8wCwYD
VR0PBAQDAgEGMCEGA1UdEQQaMBiBFnJ6LWRjYUByei5odS1iZXJsaW4uZGUwCQYD
VR0SBAIwADBABgNVHR8EOTA3MDWgM6Axhi9odHRwczovL2NhLmh1LWJlcmxpbi5k
ZS9odS1jYS9jcmwvaHUtY2EtY3JsLmNybDARBglghkgBhvhCAQEEBAMCAAcwZQYJ
YIZIAYb4QgENBFgWVkh1bWJvbGR0LVVuaXZlcnNpdGFldCB6dSBCZXJsaW4sIEhV
LUNBLCBlcnN0ZWxsdCBtaXQgT3BlblNTTCAoaHR0cDovL3d3dy5vcGVuc3NsLm9y
Zy8pMB4GCWCGSAGG+EIBDAQRFg9jYS5odS1iZXJsaW4uZGUwJgYJYIZIAYb4QgEC
BBkWF2h0dHBzOi8vY2EuaHUtYmVybGluLmRlMD4GCWCGSAGG+EIBBAQxFi9odHRw
czovL2NhLmh1LWJlcmxpbi5kZS9odS1jYS9jcmwvaHUtY2EtY3JsLmNybDA+Bglg
hkgBhvhCAQMEMRYvaHR0cHM6Ly9jYS5odS1iZXJsaW4uZGUvaHUtY2EvY3JsL2h1
LWNhLWNybC5jcmwwPgYJYIZIAYb4QgEIBDEWL2h0dHBzOi8vY2EuaHUtYmVybGlu
LmRlL2h1LWNhL2h1LWNhLXBvbGljeS5odG1sMA0GCSqGSIb3DQEBBQUAA4IBAQAZ
2QyHBvBAI5C+fniGwISVHLlZE4Lp5/Yl4TUXyWTB91YY7fVBRiQMKBnIMm7lA+i/
GcMDM/pI8fZK8MvRnNDq6KmhIOUSNBe86OZf8jJR6Qwi/pdEY/ProWpdm8JGDPMu
Qvx41LTrQS8wAykYHo32PXuqY/ff16nqxovfd2wYtZpZTQww/UQ47ZCp7cbXxs2r
gTW/+fSb2DoanzpXVW0ZK6I4d8ib22x2Ifn7Ee59egS05x5QxnU+wSs0Vjkn4gjy
LbcnkhDxnBH4sFEVTYfX7kU3P4XAwqWw3rAcqAmn8Luh/Eu9+QqKaKcezWfFpKo0
urBlR78ij6UXSSVKyjte
-----END CERTIFICATE-----
