Cross-signing non-self-signed third party certificate

Viktor Dukhovni openssl-users at
Fri Jun 2 05:09:53 UTC 2023

On Fri, Jun 02, 2023 at 06:08:05AM +0200, David von Oheimb wrote:

> Correct that doing so, any existing AKID will need to be removed, or
> better replaced.  BTW, the x509 app already contains code filtering
> out both AKID and SKID extensions when converting a certificate to a
> PKCS#10 CSR.  In that use case the self-signedness does make sense,
> and I suspect that the restriction on the input cert being self-signed
> historically stems from that use case.

You misunderstood my point.  The problem AKIDs are not those in the
intermediate issuer cert, they could be in the *issued* EE certificates,
which the OP is not in a position to replace.  Admittedly "dirname"
AKIDs are not common, and could be a non-issue in this case, but they
are a potential obstacle to cross-certs for intermediate CAs.


More information about the openssl-users mailing list