> From: owner-openssl-users On Behalf Of Walter H. > Sent: Tuesday, November 12, 2013 05:08
> On Tue, November 12, 2013 05:47, Alan Jakimiuk wrote: > > Is there a way I can make all three linked? > > this should be the default. > > > ie. Cert A->Cert B->Cert C in the certification path? > > Any help would be appreciated > > > can you view the certificates? > openssl x509 -noout -text -in certfile > > you should see in both, the intermediate and the Cert C something like > > > X509v3 Authority Key Identifier: > keyid:EB:DF:B2:26:76:... > serial:6F:7F:C0:... > If certs created with openssl commandline (which OP didn't actually say) you can have both keyid and serial only if the issuance operation specified keyid[:always],issuer:always which the standard openssl.cnf doesn't. And in that case you will have DirName in between. (Or at least should; PKIX allows Subject empty for EE cert but not CA cert, and since it's hard to create *any* Subject empty with openssl I didn't test violating that.) > the serial in the intermediate here must match the serial of the root, and > of Cert C the one of the intermediate > and the DirName in both matches the root (and the intermediate Issuer). But only for a chain of 3, the case asked; for longer chains it is different. Note however this *links* the chain-of-3, as literally asked, but it does not by itself allow *verifying* the chain-of-3, which appears to be what the OP actually wants. And for verifying I don't think you actually need the AKI linkage, although it might depend on Windows version or maybe some setting(s) someplace. What you do need is all three certs available at verification time. For example I can have an SSL server send leaf and intermediate (OP's C and B) to IE on Windows that has only the root (A) in TrustedRoots, and it verifies, and displays the path correctly, with no AKI at all, only the classic Issuer->Subject linkage (which is slightly less work for me to set-up). To OP: Do you want to verify this chain (or your cert C using this chain), and if so specifically what are you doing? Using it in SSL? Using it in SMIME or similar? Just opening the cert by itself in CryptExtBlah? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
