On Thu, Aug 26, 2010, Toms Tormo wrote: >> >> Firstly thank you for the extensive debug information > No!! Thank you very much for your quick answer/reply!! > >> Specifically the authority key identifier of the EE certificate is >> incorrectly >> set, though it is set correctly for other certificates in the chain. > > I've been checking the Authority key Identifier of all certificates and I > think I know what you mean. I can see that all certificates (but root and > EE) have: > > - Subject Key Identifier of its parent > - *subject of the issuer of it's issuer (in case of racer.pem, the subject > of Global.pem)* > - serial number of its parent > > meanwhile the EE certificate has: > > - Subject Key Identifier of its parent > - *subject of its parent* > - serial number of its parent > > Is it the problem? Because It's a bit confusing for me... as far as I > understand from the link you gave me (and the RFC 5280, which says > practically the same), the EE of a certificate chain must identify its > parent by means of the AKID. > > Following the openssl FAQ example, C certificate must identify the > authority certificate B with the AKID. This can be done either by including > *the subject key identifier of B* or *its issuer name and serial number* > (of B?). > > In my case, the EE certificate has the right subject key Identifier > (racer's subject key identifier), right serial number (racer's serial > number), but wrong issuer name (should be ACCamerfirma's subject instead of > racer's serial number). Am I right? If one of the conditions is right > (subject Key Identifier), shouldn't it validate anyway? > >
Well at present the check is rather strict in that everything has to match. The actual code that does this is in the function X509_check_issued(), you could add a workaround in there to handle this case. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
