Using a 'sub-ca' certificate
Peter Looyenga
I'm having problems using a certificate which I signed using my own CA
(self-signed) certificate. Whenever this 'sub-ca' certificate is used to
sign a certification request I'm getting the following error:
19343:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get
issuer keyid:v3_akey.c:210:
19343:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extension:v3_conf.c:91:name=authorityKeyIdentifier,
value=keyid:always,issuer:always
By checking this error message (and lots of reading) I narrowed it down
to the following statement in my openssl.cnf:
authorityKeyIdentifier = keyid:always,issuer:always
Whenever I remove the "keyid:always" my problems are solved and I can go
ahead with authorizing the certificate request. The only problem which
remains is that I fail to understand whats going on. The error says its
unable to get the issuer keyid, but it seems to be able to get the
issuer (id?) itself without problems.
Now... From what I understand so far I suspect that whenever I try to
sign a request 'authorityKeyIdentifier' tells OpenSSL how to identify
the authority of the used certificate. In my case it needs to travel up
the chain by 1 step but for some reason fails on the keyid.
When trying to solve this I started with the 'verify' program and it
told me that it had a problem with looking up the local issuer. I solved
that by placing the 'hash'.0 of my root certificate in my global certs
directory. Still, this did not solve the above problem.
After reading this list the only thing which came a bit close to this
was a posting of 2002-03-19 and 2002-11-04 but unfortunatly it couldn't
help me to understand.
Can any of you provide me with some background on this ?
Thanks in advance!
--
Groetjes, Peter
.\\ PGP/GPG key: http://www.catslair.org/pubkey.asc
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dr. Stephen Henson
> Hi guys,
>
> I'm having problems using a certificate which I signed using my own CA
> (self-signed) certificate. Whenever this 'sub-ca' certificate is used to
> sign a certification request I'm getting the following error:
>
> 19343:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get
> issuer keyid:v3_akey.c:210:
> 19343:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
> extension:v3_conf.c:91:name=authorityKeyIdentifier,
> value=keyid:always,issuer:always
>
> By checking this error message (and lots of reading) I narrowed it down
> to the following statement in my openssl.cnf:
>
> authorityKeyIdentifier = keyid:always,issuer:always
>
>
It shouldn't have needed too much investigation: the error message is telling
you the precise line in the config file it doesn't like...
> Whenever I remove the "keyid:always" my problems are solved and I can go
> ahead with authorizing the certificate request. The only problem which
> remains is that I fail to understand whats going on. The error says its
> unable to get the issuer keyid, but it seems to be able to get the
> issuer (id?) itself without problems.
>
> Now... From what I understand so far I suspect that whenever I try to
> sign a request 'authorityKeyIdentifier' tells OpenSSL how to identify
> the authority of the used certificate. In my case it needs to travel up
> the chain by 1 step but for some reason fails on the keyid.
>
> When trying to solve this I started with the 'verify' program and it
> told me that it had a problem with looking up the local issuer. I solved
> that by placing the 'hash'.0 of my root certificate in my global certs
> directory. Still, this did not solve the above problem.
>
> After reading this list the only thing which came a bit close to this
> was a posting of 2002-03-19 and 2002-11-04 but unfortunatly it couldn't
> help me to understand.
>
>
> Can any of you provide me with some background on this ?
>
There are several ways to identify the issuing certificate for a given
certificate.
The simplest is the issuer and subject names. The issuer name of one
certificate must match (for some value of "match") the subject name of the
issuing certificate.
For various reasons more than one certificate may exist with the same subject
name so a simple check on issuer name may result in more than one match.
To resolve this situation various extensions can be present in a certificate
to (hopefully) uniquely identify it.
One extension is subject key identifier (SKID) which uniquely identifies the
key a certificate carries.
Another extension is authority key identifier (AKID). This can contain either
a key identifier field and/or the issuer name and serial number of the issuing
certificate.
So in effect the AKID of a certificate must match the corresponding extensions
in the issuing certificate. That is the key id (if present) in AKID must match
the SKID of the issuing certificate and the issuer name and serial number (if
present) in AKID must match those in the issuing certificate.
Now when OpenSSL signs a certificate and is instructed to include the AKID
extension it must be able to retrieve the corresponding data from its issuing
certificate. If you say:
authorityKeyIdentifier = keyid:always,issuer:always
then its saying that the key id option of AKID *must* always be included and
to give a fatal error if it can't. Since OpenSSL copies the key id from the
issuing certificate it will throw an error if SKID is absent from it.
So that's the probable cause: your CA doesn't have an SKID extension. This is
documented (though not in as much detail) in doc/openssl.txt . The fix is to
either find a way of including SKID in the CA or removing that 'always'
qualifier.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: she...@drh-consultancy.demon.co.uk, PGP key: via homepage.