Recently I got the same problems here. Normally if you have multiple certificates with the same subject, OpenSSL will pick up the first one. As Stephen said, OpenSSL will also check AKID/SKID, but only if both of them have that extension available. Otherwise, it won't. Even the target certificate has AKID, well the issuer's one doesn't, OpenSSL won't check it.
In real world, I guess this is not likely happen. But the following case DOES happen. While some CA's root certificate expired, those CAs simply distributed new root certificate, with the same key, same subject as old one. If you look at the root certificate on Windows XP, you will find some. Those old certificate doesn't have those extension either. Unfortunately OpenSSL will pick up the expired one if it comes first, and of course failed on verification later, although a correct one available right after. To fix this, I put my own check_issue() inside X509 certificate store context. In addition to OpenSSL's check_issue(), I also check the expiration of certificate and public/private key match. It forces OpenSSL to continue to check all root certificate further and find correct one. In my case, it works fine. Kevin -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Chris Bare Sent: Friday, June 11, 2010 9:53 AM To: openssl-users@openssl.org Subject: Re: certs with the same Subject Name > On Thu, Jun 10, 2010, Chris Bare wrote: > > > I have 2 different certs with the same subject name in a CA dir: > > > > lrwxrwxrwx 1 chris chris 23 2010-06-10 14:35 0721e1e6.0 -> other.pem > > lrwxrwxrwx 1 chris chris 18 2010-06-10 14:35 0721e1e6.1 -> ssl.pem > > > > when I try to establish an ssl connection: > > > > openssl s_client -verify 10 -connect example.com:443 -CApath same_names > > > > I get: > > > > Verify return code: 18 (self signed certificate) > > > > it appears to be choosing 0721e1e6.0, because if I delete that one, it > > works. > > > > Since there is no requirement that Subject Names be unique, is there a way > > to > > make this work? > > > > Is that the only certificate in the chain or are there others? yes, in my test case they are self-signed and the only cert in the chain. > Those certificates need the subject key identifier extension and those issued > the authority key identifier extension. > -- Chris Bare ch...@bareflix.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
