Re: The Authority Key ID extension

Tue, 09 Sep 2008 03:51:35 -0700 

Thanks a lot for both answers, they were very helpful; however, it was
easier for me to use Pierre's method.

Although I managed to add the AKID, the verification of the endhost
certificate's context with X509_verify_cert() says the certificate it's not
YET valid and:

X509_verify_cert failed: error:0906D06C:PEM routines:PEM_read_bio:no start
line

The upper certification path is OK, including the certificate of the issuer.
I have attached both issuer and endhost certificate, if you have the time to
take a look and tell me if you think something's wrong/missing!

Thanks again!

2008/9/8 delcour.pierre <[EMAIL PROTECTED]>

> Silviu VLASCEANU wrote:
>
>> Hi,
>>
>> Sorry to bother again, but I still haven't found how to add the Authority
>> Key ID to a certificate, using openssl.
>> Please, I need some help with this. The details are below.
>>
>> Thank you in advance,
>>
>> --
>> Silviu
>>
>> 2008/9/3 Silviu VLASCEANU <[EMAIL PROTECTED] <mailto:
>> [EMAIL PROTECTED]>>
>>
>>    Hello everybody,
>>
>>    I need to copy the Subject Key ID (SKID) from the CA certificate
>>    to the Authority Key ID (AKID) of a new certificate.
>>    I have extracted the SKID with
>>
>>    AUTHORITY_KEYID *akid = X509_get_ext_d2i(ca_cert,
>>    NID_subject_key_identifier, NULL, NULL);
>>
>>    How can I "put" akid in an X509_EXTENSION so that I can add the
>>    latter to a new certificate with X509_add_ext(x, ex_akid, -1) ?
>>
>>    Thanks a lot,
>>
>>    --    Silviu
>>
>>  In my case, i set aki to this string :
> "issuer:always,keyid:always".
>
> It will display :
> keyid:[...] // the subject key id (keyid of isser)
> DirName:[...] // the dn of issuer's issuer)
> serial:[...] // the serail of issuer' issuer.
>
>
> To set this aki, i use this code :
>       X509V3_CTX ctx;                    // create a context
>       X509V3_set_ctx(&ctx, issuer , son, NULL, NULL, 0);
>       X509_EXTENSION* ex = X509V3_EXT_conf_nid(NULL, &ctx,
> NID_authority_key_identifier , (char*)"issuer:always,keyid:always"));
> X509_add_ext( son,ex, -1);
>
> with X509* issuer, * son;
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           [EMAIL PROTECTED]
>



-- 
Silviu
+33 625 17 51 81

______________________________
Think twice before printing this page.
Do you really need it?

Attachment: endhost.pem
Description: Binary data

Attachment: issuer.pem
Description: Binary data

Reply via email to