On Mon, Feb 24, 2003, Peter Looyenga wrote: > Hi guys, > > I'm having problems using a certificate which I signed using my own CA > (self-signed) certificate. Whenever this 'sub-ca' certificate is used to > sign a certification request I'm getting the following error: > > 19343:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get > issuer keyid:v3_akey.c:210: > 19343:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in > extension:v3_conf.c:91:name=authorityKeyIdentifier, > value=keyid:always,issuer:always > > By checking this error message (and lots of reading) I narrowed it down > to the following statement in my openssl.cnf: > > authorityKeyIdentifier = keyid:always,issuer:always > >
It shouldn't have needed too much investigation: the error message is telling you the precise line in the config file it doesn't like... > Whenever I remove the "keyid:always" my problems are solved and I can go > ahead with authorizing the certificate request. The only problem which > remains is that I fail to understand whats going on. The error says its > unable to get the issuer keyid, but it seems to be able to get the > issuer (id?) itself without problems. > > Now... From what I understand so far I suspect that whenever I try to > sign a request 'authorityKeyIdentifier' tells OpenSSL how to identify > the authority of the used certificate. In my case it needs to travel up > the chain by 1 step but for some reason fails on the keyid. > > When trying to solve this I started with the 'verify' program and it > told me that it had a problem with looking up the local issuer. I solved > that by placing the 'hash'.0 of my root certificate in my global certs > directory. Still, this did not solve the above problem. > > After reading this list the only thing which came a bit close to this > was a posting of 2002-03-19 and 2002-11-04 but unfortunatly it couldn't > help me to understand. > > > Can any of you provide me with some background on this ? > There are several ways to identify the issuing certificate for a given certificate. The simplest is the issuer and subject names. The issuer name of one certificate must match (for some value of "match") the subject name of the issuing certificate. For various reasons more than one certificate may exist with the same subject name so a simple check on issuer name may result in more than one match. To resolve this situation various extensions can be present in a certificate to (hopefully) uniquely identify it. One extension is subject key identifier (SKID) which uniquely identifies the key a certificate carries. Another extension is authority key identifier (AKID). This can contain either a key identifier field and/or the issuer name and serial number of the issuing certificate. So in effect the AKID of a certificate must match the corresponding extensions in the issuing certificate. That is the key id (if present) in AKID must match the SKID of the issuing certificate and the issuer name and serial number (if present) in AKID must match those in the issuing certificate. Now when OpenSSL signs a certificate and is instructed to include the AKID extension it must be able to retrieve the corresponding data from its issuing certificate. If you say: authorityKeyIdentifier = keyid:always,issuer:always then its saying that the key id option of AKID *must* always be included and to give a fatal error if it can't. Since OpenSSL copies the key id from the issuing certificate it will throw an error if SKID is absent from it. So that's the probable cause: your CA doesn't have an SKID extension. This is documented (though not in as much detail) in doc/openssl.txt . The fix is to either find a way of including SKID in the CA or removing that 'always' qualifier. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
