Setting Issuer Alternative Name
Viktor Dukhovni
openssl-users at dukhovni.org
Sun May 14 18:00:30 UTC 2023
On Sun, May 14, 2023 at 12:44:48PM -0400, Robert Moskowitz wrote:
> I looked at that manpage and tried:
>
> authorityKeyIdentifier =
> otherName:1.3.27.16.2.1.1;BITSTR:20010030000000052aeb9adc1ce8b1ec
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
You're trying to set the AKID to just the GeneralName, but it has to be
a tagged sequence, and note that "authorityCertIssuer" is the name of
the "grandparent" of the certificate in which the AKID appears, along
with the authorityCertIssuer you'd need to provide the serial number
of the parent certificate.
But as I mentioned before, I don't expect that support for names other
than directory names in the AKID extension is particularly common.
You're better off with just "keyIdentifier", liking the child cert
to the key if of the parent cert.
Perhaps I should not have mentioned issuer SANs, you probably have no
use for them. Do use the appropriate data type in the EE SAN.
--
Viktor.
More information about the openssl-users
mailing list