[openssl-dev] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Mon Jun 1 17:12:50 UTC 2015

Bonsoir John,

> Le 1 juin 2015 à 17:20, John Lofgren via RT <rt at openssl.org> a écrit :
> […]

> One remaining question. If this extension is "only a helper and MUST NOT be
> used to (in)validate a certificate chain" as you say or as the spec says
> "non-critical", then why does 'openssl verify' reject this chain?

That’s an open question. This topic has been raised on IETF PKIX last april.
The normative validation algorithm in section 6 of RFC5280 doesn’t use AKI/SKI.
RFC4158 is about path construction and is also clear on not using AKI/SKI to eliminate a certificate chain.