On Sat, Mar 05, 2005, Erwann ABALEA wrote: > Bonsoir, > > > > X509v3 Authority Key Identifier: > > > > keyid:FF:78:E3:03:37:8D:EA:0F:1D:ED:B0:C7:D2:48:49:C6:90:D1:D5:B0 > > Problem. The issuer of this certificate doesn't have any > subjectKeyIdentifier extension, so this authorityKeyIdentifier > extension is useless, and could potentially be misused. I know that > Mozilla doesn't use the AKI to find the issuing cert, and MSIE does. > But I haven't tested the case where an AKI existed without the > corresponding SKI. > > > This is the ROOT CA's Cert: > > > > Certificate: > > Data: > > Version: 1 (0x0) > > That's why you don't have any extension on this certificate, it's a > version 1 certificate. Today, that type of certificates should really > be avoided unless serious reasons to use them exist. >
Ah, I'd missed that! How on earth was that intermediate CA created? OpenSSL shouldn't be including an AKID extension if the root CA doesn't have one. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
