[openssl-dev] [openssl.org #1596] wrong AKI in cert

Viktor Dukhovni via RT rt at openssl.org
Fri Feb 5 07:31:01 UTC 2016 

When a certificate is re-signed via "x509 -signkey" while keeping the
existing extensions (i.e. without "-clrext"), the (unwritten) expectation
is that that all that's being changed is the validity dates, and the
previous certificate content remains unchanged.  Yes, the issuer is updated
to match the subject if they are not already the same, and the key is replaced
with the new key if different, but otherwise the certificate remains the same.

This is useful for extending the dates of existing self-signed certificates with
as little change as possible.

What this means in practice is that if something other than just the dates
is changing, one really should use "-clrext" and specify the new desired
extensions.

For example ("bash" inline file syntax):

  $ openssl x509 -clrext \
	-in old-cert.pem -out new-cert.pem -signkey key.pem \
	-extfile <(printf "%s\n%s\n" \
		"subjectKeyIdentifier = hash" \
		"authorityKeyIdentifier = keyid:always"
		)

In such cases one of course also needs to specify any other
desired extensions.

Now it may be argued that a more complicated strategy is possible,
in which:

  * It is determined whether the original certificate is self-signed
  * If so whether the new key is the original signer

and if either condition fails then, while retaining all other extensions
the subject key identifier and authority key identifier extensions are
dropped and regenerated as specified in the extant configuration.

Logic of that complexity is not in place, and it is not entirely clear
that its absence is a bug in the code, rather than a matter of incomplete
documentation of the limitations of this feature.

My take is that this is best addressed at the documentation level, but if
someone is really keen to try to make the code automatically perform the
right extension surgery, a pull request on Github might be the way to go.
	
-- 
	Viktor.


-------------------------------------------------------------------------
http://rt.openssl.org/Ticket/Display.html?id=1596

Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list