On Wed, 20 Nov 2002, Gerd Schering wrote: > I have the following CA/cert hierachy: > rootca -> serverca -> servercert > > when I look at the authorityKeyIdentifier in the servercert I see: > keyid: O.K. > serial: O.K. > but DirName is NOT the DirName of the serverca but the one of the rootca! > > This seems to me to be wrong.
No, it's correct. There has been a thread on openssl-dev some days ago. You should carefully read the RFC. If you still think OpenSSL is wrong, then read the RFC again, and again, and again... ;) To explain it easily, the authorityKeyIdentifier of servercert is here to find the right certificate for serverca. The certificate for serverca can be identified by the issuer name of serverca (that is, rootca), and the serial number of serverca (which is unique among all the certificates signed by rootca). OpenSSL is right. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 ----- J'utilise Outlook Express comme serveur de news et de courrier. -+- Laury in GNU : Chez MS, le client est roi... des neuneux. -+- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
