Incorrect Authority Key Identifier on openssl end cert
This is normal behavior.
The DirName in the Authority Key Identifier is actually the Subject name of the Issuer of the Issuer. Just including the Subject of the Issuer would be duplicating the Issuer DN already available in the certificate.
This is a common question that is also answered in the OpenSSL FAQ
Related videos on Youtube
Huckle
An error occurred while loading this user's profile. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. It is recommended that you save your work and restart your browser.
Updated on September 18, 2022Comments
-
Huckle over 1 year
I'm getting interesting results when signing an end-server certificate using an intermediate CA using openssl.
I have a Root CA which looks like this:
Serial Number: 14296918985177649921 (0xc668dc11960d5301) Issuer: C=US, ST=xROOTx, L=xROOTx, O=xROOTx, CN=xROOTx Subject: C=US, ST=xROOTx, L=xROOTx, O=xROOTx, CN=xROOTx X509v3 Subject Key Identifier: 1A:E5:27:E9:EF:2F:90:A7:13:91:1A:12:A9:3A:1D:AE:BA:1E:B8:35
Which has signed an intermediate CA which looks like this:
Serial Number: 0 (0x0) Issuer: C=US, ST=xROOTx, L=xROOTx, O=xROOTx, CN=xROOTx Subject: C=US, ST=xINTERx, O=xINTERx, CN=xINTERx X509v3 Authority Key Identifier: keyid:1A:E5:27:E9:EF:2F:90:A7:13:91:1A:12:A9:3A:1D:AE:BA:1E:B8:35 DirName:/C=US/ST=xROOTx/L=xROOTx/O=xROOTx/CN=xROOTx serial:C6:68:DC:11:96:0D:53:01 X509v3 Subject Key Identifier: 16:BF:D6:2F:0D:58:A5:C3:84:95:4B:F6:FE:27:3E:0B:79:0C:6F:04
And when I sign the end-server cert I get this:
Serial Number: 1 (0x1) Issuer: C=US, ST=xINTERx, O=xINTERx, CN=xINTERx Subject: C=US, ST=xENDx, O=xENDx, CN=xENDx X509v3 Authority Key Identifier: keyid:16:BF:D6:2F:0D:58:A5:C3:84:95:4B:F6:FE:27:3E:0B:79:0C:6F:04 DirName:/C=US/ST=xROOTx/L=xROOTx/O=xROOTx/CN=xROOTx serial:00 X509v3 Subject Key Identifier: 3B:86:64:4B:80:EE:BF:92:0D:A9:D6:FD:8C:FD:DD:FF:55:55:C6:11
This shows the correct KeyId and Serial from the intermediate CA but the wrong DirName, which for some reason is the Root CA's DN.
-
Huckle over 10 yearsThe spec really doesn't make that clear. The first sentence is pretty unambiguous, but the second sentence seems it indicate it should be the Issuer name and Serial number of the signing certificate. Half of that is duplicate information, but the serial number is not duplicated and is needed to pick the right key if many exist for a given issuer. (RFC2459, Section 4.2.1.1) "The identification may be based on either the key identifier (the subject key identifier in the issuer's certificate) or on the issuer name and serial number."