[openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?

Jakob Bohm jb-openssl at wisemo.com
Sat Apr 4 03:31:37 UTC 2015

(top posting like the rest of the thread)

What makes you think it is incorrect to check the Key
Identifier (where present) before checking a signature
against a key?

What other reasonable purpose could the Key Identifier
fields serve?

On 03/04/2015 10:56, Erwann Abalea wrote:
 > (Forwarded to openssl-users)
 > The subjectName of file4.pem matches the issuerName of
 > file3.pem, the signature block in file3.pem, when verified
 > with the public key of file4.pem, gives a correct signature
 > for the tbsCertificate of file3.pem. But Openssl also
 > (incorrectly, IMO) checks that file4.pem.SKI matches
 > file3.pem.AKI, and refuses to go further (here, AKI doesn't
 > match SKI).
 > Le 03/04/2015 03:10, Yuting Chen a écrit :
 > > I used OpenSSL to verify a certificate file (file3.pem)
 > > against another certificate file (file4.pem). OpenSSL
 > > reports that it cannot find the issuer of the cert in
 > > file3.pem; while when I displays file3.pem and file4.pem,
 > > it appears that the issuer of the cert in file3.pem is the
 > > same as the subject of the cert in file4.pem. Did I miss
 > > anything?


Don't put your e-mail sig in the middle of the mail, it causes
standards-compliant mail programs to cut off everything below
it when replying (because everyting below the --<space> marker
is, by definition, just the e-mail sig).


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list