hello,
in a recent thread on this list about "add extension to an existing
(signed) CA certificate" I was wondering how openssl software validate a
certificate chain.
jehan procaccia wrote :
Can someone tell me how SSL clients check/verify a 3 level hierarchie ?
is it based on extension authorityKeyIdentifier ?
At a specific level (1/2/3) it must match keyid ? and /or issuer
(DirName humane readable ) ? and/or serial of it's near (just above)
parent ?
is this procedure clarified somewhere ?
I finally found this presentation:
http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf
which starts by telling
"The certification path construction process has not been standardized,
and there is very little published information available"
Well, since that publication date from 2002, I wonder if there are new
recomandation/practice and perhaps real standard way to build and verify
a certification path nowdays?
From that same thread ("add extension to an existing (signed) CA
certificate") you would understand that my actual PKI root-ca probably
needs to be re-builded from scratch (sub-sub-ca and all leaf certs :-(
as well ) beacause is lacks "basic constraint CA:TRUE" at the root .
so I want this time to start on good practice , notably for the extensions .
Root-CA shoud have: (idem for sub-ca ?)
[ROOT_CA]
nsComment = "root CA"
subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always,issuer#? maybe not that one for
root-ca, only for sub-ca
basicConstraints = critical,CA:TRUE
keyUsage = keyCertSign, cRLSign
Thanks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
