[openssl-users] cert chain file ordering question
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jan 10 03:32:57 UTC 2018
> On Jan 9, 2018, at 8:29 PM, Norm Green <norm.green at gemtalksystems.com> wrote:
>
> opensslx509 -in secondIntermedCa.pem -noout -text
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: 1.3.6.1.4.1.47749.1.1 = userCA, CN = EmeaCA
> Subject: 1.3.6.1.4.1.47749.1.1 = userCA, CN = KapitalCA
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> C7:26:0D:BB:DF:7E:90:CA:7F:A0:C8:B7:CC:09:44:27:C0:53:A7:97
> X509v3 Authority Key Identifier:
> keyid:0F:D8:48:FB:6C:8D:C3:1A:E1:5C:94:32:45:E8:EA:DE:5B:C5:E5:34
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Key Usage:
> Digital Signature, Key Encipherment
The Key Usage is not what'd I'd expect for a CA.
> opensslx509 -in firstIntermedCa.pem -noout -text
> Issuer: 1.3.6.1.4.1.47749.1.1 = rootCA
> Subject: 1.3.6.1.4.1.47749.1.1 = userCA, CN = EmeaCA
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> 0F:D8:48:FB:6C:8D:C3:1A:E1:5C:94:32:45:E8:EA:DE:5B:C5:E5:34
> X509v3 Authority Key Identifier:
> keyid:5D:A3:87:58:67:E9:3D:B2:4F:8A:87:DA:CA:26:39:FF:FE:70:D5:F2
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Key Usage:
> Digital Signature, Key Encipherment
Same here.
> opensslx509 -in rootCa.pem -noout -text
> Issuer: 1.3.6.1.4.1.47749.1.1 = rootCA
> Subject: 1.3.6.1.4.1.47749.1.1 = rootCA
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> 5D:A3:87:58:67:E9:3D:B2:4F:8A:87:DA:CA:26:39:FF:FE:70:D5:F2
> X509v3 Authority Key Identifier:
> keyid:5D:A3:87:58:67:E9:3D:B2:4F:8A:87:DA:CA:26:39:FF:FE:70:D5:F2
>
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Key Usage:
> Certificate Sign, CRL Sign
This Key Usage is more appropriate. When the "Key Usage" is present in
a CA certificate, it *MUST* include "Certificate Sign".
--
Viktor.
More information about the openssl-users
mailing list