Hi,
Could someone please confirm the points I mentioned in the previous email?
Also wanted to understand on how to identify cross certificates using
openSSL. I understand that the AKI checks are not sufficient when cross
certificates are present in my certificate chain.
--
Ashok
On Mon, Jul 23,
Hi,
I read from the RFC5280 that AKI is mandatory for all certificates
generated by a conforming CA.
"The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate certification path construction. There is one
Hi Ashok,
If you have a look at the v3_purp.c,
You can follow following algorithm:
1. check issuer name, if okay then proceed or exit.
2. check akid,
3. check the key usage ... (if the issuer certificate in the chain for a
subject under consideration is allowed to sign or not),
4. check the p
Thanks Sukalp,
But I would like confirmation for the algorithm also.
Whether SKI/AKI related checks are sufficient for the chain formation, or
if anything else needs to be checked.
--
Ashok
On Mon, Jul 23, 2012 at 12:54 PM, Sukalp Bhople wrote:
> Hi,
>
> You can have a look at following files
Hi,
You can have a look at following files from openssl source code.
1. ssl_cert.c (around line number 626)
2. x509_vfy.c (around line number 153)
3. v3_purp.c (around line number 700).
good luck!
On Mon, Jul 23, 2012 at 8:41 AM, Ashok C wrote:
> Hi,
>
> I have a requirement to form a correct
