Re: Multi-level certificate chains

[Viktor Dukhovni]

On Wed, Nov 13, 2013 at 11:07:19PM -0500, Dave Thompson wrote:

> If certs created with openssl commandline (which OP didn't actually say) 
> you can have both keyid and serial only if the issuance operation specified 
> keyid[:always],issuer:always which the standard openssl.cnf doesn't.
> And in that case you will have DirName in between. (Or at least should;
> PKIX allows Subject empty for EE cert but not CA cert, and since it's hard
> to create *any* Subject empty with openssl I didn't test violating that.)

Just pass: "-subj /" to any of the usual suspects:

$ openssl x509 -in /tmp/empty-subject.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer:
        Validity
            Not Before: Nov 14 08:58:36 2013 GMT
            Not After : Dec 14 08:58:36 2013 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:26:8c:6d:89:3d:91:67:cf:4f:78:04:2a:82:25:
                    40:3e:85:3d:3f:9e:6b:73:de:07:dd:65:e1:ce:ab:
                    7a:4b:1a:7c:1b:b3:5a:a1:ba:b6:36:7d:26:11:9f:
                    fc:06:4d:40:43:e1:b9:a0:60:2a:fa:69:50:ef:80:
                    56:96:57:96:ce
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                58:74:4A:C8:7C:B6:A1:12:1F:2B:55:B4:43:C7:53:52:28:4D:29:9B
            X509v3 Authority Key Identifier:
                
keyid:58:74:4A:C8:7C:B6:A1:12:1F:2B:55:B4:43:C7:53:52:28:4D:29:9B
                DirName:
                serial:01

            X509v3 Subject Alternative Name:
                DNS:example.com
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:26:55:0e:b3:74:c6:52:e4:3a:ff:28:77:25:d0:
         01:26:32:57:2e:bc:ca:78:d6:de:f6:50:9d:d8:9a:de:04:12:
         02:21:00:bc:e9:f6:25:91:09:9a:57:f0:3e:bd:c4:82:54:44:
         b3:c0:a7:5d:ea:98:7d:11:2a:61:f2:1f:56:e7:c2:d3:33
-----BEGIN CERTIFICATE-----
MIIBfjCCASSgAwIBAgIBATAKBggqhkjOPQQDAjAAMB4XDTEzMTExNDA4NTgzNloX
DTEzMTIxNDA4NTgzNlowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCaMbYk9
kWfPT3gEKoIlQD6FPT+ea3PeB91l4c6reksafBuzWqG6tjZ9JhGf/AZNQEPhuaBg
KvppUO+AVpZXls6jgY4wgYswCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwHQYDVR0OBBYEFFh0Ssh8tqESHytVtEPHU1IoTSmbMCgGA1Ud
IwQhMB+AFFh0Ssh8tqESHytVtEPHU1IoTSmboQSkAjAAggEBMBYGA1UdEQQPMA2C
C2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICZVDrN0xlLkOv8odyXQASYy
Vy68ynjW3vZQndia3gQSAiEAvOn2JZEJmlfwPr3EglREs8CnXeqYfREqYfIfVufC
0zM=
-----END CERTIFICATE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org