Cross-signing non-self-signed third party certificate

Viktor Dukhovni openssl-users at
Fri Jun 2 00:40:28 UTC 2023

On Mon, May 29, 2023 at 03:25:35PM +0200, Yannik Sembritzki via openssl-users wrote:

> I am trying to cross-sign a third party certificate which is *not* self 
> signed (e.g. a third party intermediate CA, or even a particular client 
> certificate) like this:
> /openssl x509 -in third-party.crt -CA /etc/pki/r1/ca.crt -CAkey 
> /etc/pki/r1/private/ca.key -out third-party-cross-signed.crt -set_serial 
> 1000/
> This results in the following error: /Error with certificate to be 
> certified - should be self-signed//
> /
> The same thing works for signing third-party root CAs (as they are 
> self-signed), but that might be too broad in some situations.
> Could anybody explain the reason for this restriction?

One possible reason is that the certificates issued by the CA in
question could have AKID extensions that specify the serial
number of the issuing CA certificate and *its* issuer DN.

Any such certificates would not validate with a cross-signed
chain that replaces the parent issuer.


More information about the openssl-users mailing list