Re: add extension to an existing (signed) CA certificate

Wed, 02 Sep 2009 08:57:41 -0700 

Peter Sylvester a écrit :

well, if one takes the standard configuration of openssl,
it sets the authoritykey_identifier both the hash and
issuer serial, no exception for the root. comment says
that pkix recommends that.
yes , and the thread you refered me on this list named "Bug in "authorityKeyIdentifier" extension ?" goes in the same direction, altough it is not clear if it concerns THE root CA of a hierarchie or sub-CA and final certs ? 

on http://marc.info/?l=openssl-dev&m=103640560416217&w=2
I can read
"The keyIdentifier is not used, the only valid content for the authorityKeyIdentifier is the issuer's name of the issuer certificate, packed with the issuer's certificate serial number." 
...
"PKIX recommends the use of the authorityKeyId, and that the French Government says you must to have this extension" 

Can someone tell me how SSL clients check/verify a 3 level hierarchie ?
is it based on  extension authorityKeyIdentifier ?
At a specific level (1/2/3) it must match keyid ? and /or issuer (DirName humane readable ) ? and/or serial of it's near (just above) parent ? 
is this procedure clarified somewhere ?

Now, back to my original problem:
my root CA (http://ca.institut-telecom.fr/pki/IT_MASTER_CA/) doesn't contains extension: 
X509v3 Basic Constraints: critical
               CA:TRUE
and firefox 3.5 complains aboit it (it is not a CA !)
as long as my sub-ca does contain extension authorityKeyIdentifier with keyid/issuer/serial referencing my root CA, I'am stuck with those keyid/issuer/serial when I re-sign root-CA ? ( I re-sign it in order to add CA:TRUE !) 
any other smooth way to change my root-CA without breaking the chain ?

I do not see this recommandation in the rfcs.
at least there is a length paragraph for roots
to have an exception, and nowhere it is said you
must have both link types.

an AKI identifies the KEY, not the certificate btw
I am not sure that the issuer/serial logic is
correctly implementing this in all implementations.
It doesn't mean that the verifying CA certificate
must have this issuer/combination, any other
CA certificate with the same subject DN and same key
is also ok. S

my 2centimes
/P
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to