Hello once again Now I have the extension-patch [0] applied to the M2Crypto SVN branch (revision 704). Creating a root and an subRoot CA certificate now works great including the SKID/AKID extensions.
I am also able to verify those created certificates using: $ openssl verify -CAfile rootCA.crt rootCA.crt rootCA.crt: OK $ openssl verify -CAfile rootCA.crt subRootCA.crt subRootCA.crt: OK But having a closer look onto the generated key ID's shows that there is either something wrong in the way I am adding the subjectKeyIdentifier extension or the way the hash gets calculated in the background. This are the hashes: __rootCA__ SKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A --> OKAY AKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A --> OKAY __subRootCA (signed by rootCA)__ SKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B --> OKAY AKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A --> OKAY __client (signed by rootCA)__ SKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B --> NOT OKAY, should be different from RootCA AKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A --> OKAY __client (signed by subRootCA)__ SKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B --> NOT OKAY, should be different from subRootCA AKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B --> OKAY I really would be happy if someone could have a look at my code [1] as this extensions are important for verifying the trust chain. Please let me know if there is anything I can do with my limited knowledge about OpenSSL to get this working... Regards, Matthias [0] https://bugzilla.osafoundation.org/attachment.cgi?id=5106 [1] http://code.google.com/p/webca/source/browse/trunk/src/ca.py -- http://mail.python.org/mailman/listinfo/python-list
