diff options
author | steve <steve> | 2006-02-11 00:46:34 +0000 |
---|---|---|
committer | steve <steve> | 2006-02-11 00:46:34 +0000 |
commit | 50e4a81c94a2d3c6fb4af26ab53334c66b08f287 (patch) | |
tree | fe2ae79e38a11bd29744af4cf769e52a586c8abd /FAQ | |
parent | 750caf9f1298d3572e036c45a078cab61feae4b7 (diff) | |
download | openssl-50e4a81c94a2d3c6fb4af26ab53334c66b08f287.tar.gz |
Add FAQ about AKID.
Diffstat (limited to 'FAQ')
-rw-r--r-- | FAQ | 20 |
1 files changed, 20 insertions, 0 deletions
@@ -32,6 +32,7 @@ OpenSSL - Frequently Asked Questions * How do I install a CA certificate into a browser? * Why is OpenSSL x509 DN output not conformant to RFC2253? * What is a "128 bit certificate"? Can I create one with OpenSSL? +* Why does OpenSSL set the authority key identifier extension incorrectly? [BUILD] Questions about building and testing OpenSSL @@ -425,6 +426,25 @@ The export laws were later changed to allow almost unrestricted use of strong encryption so these certificates are now obsolete. +* Why does OpenSSL set the authority key identifier AKID) extension incorrectly? + +It doesn't: this extension is often the cause of confusion. + +Consider a certificate chain A->B->C so that A signs, B and B signs C. Suppose +certificate C contains AKID. + +The purpose of this extension is to identify the authority certificate B. This +can be done either by including the subject key identifier of B or its issuer +name and serial number. + +In this latter case because it is identifying certifcate B it must contain the +issuer name and serial number of B. + +It is often wrongly assumed that it should contain the issuer name of C. If it +did this would be redundant information because it would duplicate the issuer +name of C. + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? |