Yes, AKID has to identify the issuer of the issuer, and the issuer's serial number assigned by its issuer, if you plan to use the issuer/serial approach.
That tripped me up about a year ago, but when you think about it it makes sense: You need to identify the cert who's corresponding private key signed this one. You can do that by identifying the ISSUER of THAT cert, and THAT cert's serial number. -----Original Message----- From: owner-openssl-us...@openssl.org on behalf of Tomás Tormo Sent: Thu 8/26/2010 12:08 AM To: openssl-users@openssl.org Subject: Re: Getting crazy with "error 20 at 0 depth lookup:unable to get local issuer certificate error" (I tried everything...) > > Firstly thank you for the extensive debug information No!! Thank you very much for your quick answer/reply!! > Specifically the authority key identifier of the EE certificate is incorrectly > set, though it is set correctly for other certificates in the chain. I've been checking the Authority key Identifier of all certificates and I think I know what you mean. I can see that all certificates (but root and EE) have: - Subject Key Identifier of its parent - *subject of the issuer of it's issuer (in case of racer.pem, the subject of Global.pem)* - serial number of its parent meanwhile the EE certificate has: - Subject Key Identifier of its parent - *subject of its parent* - serial number of its parent Is it the problem? Because It's a bit confusing for me... as far as I understand from the link you gave me (and the RFC 5280, which says practically the same), the EE of a certificate chain must identify its parent by means of the AKID. Following the openssl FAQ example, C certificate must identify the authority certificate B with the AKID. This can be done either by including *the subject key identifier of B* or *its issuer name and serial number* (of B?). In my case, the EE certificate has the right subject key Identifier (racer's subject key identifier), right serial number (racer's serial number), but wrong issuer name (should be ACCamerfirma's subject instead of racer's serial number). Am I right? If one of the conditions is right (subject Key Identifier), shouldn't it validate anyway? Thank you very much. On 25/08/10 14:59, Dr. Stephen Henson wrote: > On Wed, Aug 25, 2010, Toms Tormo wrote: > >> Honestly, I have no idea what I'm doing wrong.. I've checked all the >> requirements OpenSSL needs and the certificates fulfill them all... >> >> Could you please help me? I'm getting desperate... >> >> > Firstly thank you for the extensive debug information, all too often essential > details are left out making it impossible to diagnose the problem. > > In your case checking the first CA against the rest succeeds while the EE > certificate fails. That indicates a problem with the EE certificate. > > What you are hitting is mentioned here: > > http://www.openssl.org/support/faq.html#USER15 > > Specifically the authority key identifier of the EE certificate is incorrectly > set, though it is set correctly for other certificates in the chain. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > > -- Un saludo, Tomás Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2º B Polígono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 tto...@indenova.com http://www.indenova.com Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
