OpenSSL 111: authorityKeyIdentifier

Dirk Menstermann noadsplease at
Tue Mar 24 15:12:53 UTC 2020


I’m using OpenSSL 1.1.1 to issue a certificate and include the AKI by defining

authorityKeyIdentifier = keyid,issuer:always

The issued certificate contains the AKI afterwards with 3 values:

KeyID: issuer's key id

Serial: issuer's serial

Issuer: the issuer’s issuer, not the issuer’s subject!

My expectation (maybe wrong) is that the serial and the issuer name belong to
the same X509 certificate that the key id belongs to.

The code is pretty clear:

                                            X509V3_CTX *ctx,
                                            STACK_OF(CONF_VALUE) *values)

	cert = ctx->issuer_cert;
	// Code left out

  	if ((issuer && !ikeyid) || (issuer == 2)) {
	        isname = X509_NAME_dup(X509_get_issuer_name(cert));
	        serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
	        if (!isname || !serial) {
        	    goto err;


Is this a bug or is my expectation wrong? Is there documented that these 3
values do not need to belong together?


More information about the openssl-users mailing list