On Mon, Aug 30, 2010, Toms Tormo wrote: > > Finally, I checked the Authority Key Identifier of the EE certificate but > it looks good to me... > > /[amsterdam:/test]# openssl x509 -in admesigna.cer -text > > keyid:B2:D2:89:54:6C:14:8E:84:CC:F4:DA:26:6A:45:9C:27:A9:5C:02:CF > DirName:/C=ES/O=AC Indenova SL - CIF > B97458996/OU=http///www.indenova.com/CN=AC Indenova > serial:14:19:C1:49:C9:86:CB:CC* > > Could anybody give me some clue about this? > > Thank you very much. >
If you include the -issuer_checks option you can soon diagnose the problem. You will see lots of messages about subject issuer mismatches: that's normal. Anything else may indicate a problem. In this case you get: error 31 at 0 depth lookup:authority and issuer serial number mismatch That is specifically indicating a problem with AKID. Looking above I can see "http///" in AKID. I'd actually recommend not including the issuer and serial number in AKID if you can and just using the keyid option. Newer OpenSSL default configuration files do that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
