certificate - Incorrect Authority Key Identifier on openssl end cert
2014-04
I'm getting interesting results when signing an end-server certificate using an intermediate CA using openssl.
I have a Root CA which looks like this:
Serial Number: 14296918985177649921 (0xc668dc11960d5301)
Issuer: C=US, ST=xROOTx, L=xROOTx, O=xROOTx, CN=xROOTx
Subject: C=US, ST=xROOTx, L=xROOTx, O=xROOTx, CN=xROOTx
X509v3 Subject Key Identifier:
1A:E5:27:E9:EF:2F:90:A7:13:91:1A:12:A9:3A:1D:AE:BA:1E:B8:35
Which has signed an intermediate CA which looks like this:
Serial Number: 0 (0x0)
Issuer: C=US, ST=xROOTx, L=xROOTx, O=xROOTx, CN=xROOTx
Subject: C=US, ST=xINTERx, O=xINTERx, CN=xINTERx
X509v3 Authority Key Identifier:
keyid:1A:E5:27:E9:EF:2F:90:A7:13:91:1A:12:A9:3A:1D:AE:BA:1E:B8:35
DirName:/C=US/ST=xROOTx/L=xROOTx/O=xROOTx/CN=xROOTx
serial:C6:68:DC:11:96:0D:53:01
X509v3 Subject Key Identifier:
16:BF:D6:2F:0D:58:A5:C3:84:95:4B:F6:FE:27:3E:0B:79:0C:6F:04
And when I sign the end-server cert I get this:
Serial Number: 1 (0x1)
Issuer: C=US, ST=xINTERx, O=xINTERx, CN=xINTERx
Subject: C=US, ST=xENDx, O=xENDx, CN=xENDx
X509v3 Authority Key Identifier:
keyid:16:BF:D6:2F:0D:58:A5:C3:84:95:4B:F6:FE:27:3E:0B:79:0C:6F:04
DirName:/C=US/ST=xROOTx/L=xROOTx/O=xROOTx/CN=xROOTx
serial:00
X509v3 Subject Key Identifier:
3B:86:64:4B:80:EE:BF:92:0D:A9:D6:FD:8C:FD:DD:FF:55:55:C6:11
This shows the correct KeyId and Serial from the intermediate CA but the wrong DirName, which for some reason is the Root CA's DN.
This is normal behavior.
The DirName in the Authority Key Identifier is actually the Subject name of the Issuer of the Issuer. Just including the Subject of the Issuer would be duplicating the Issuer DN already available in the certificate.
This is a common question that is also answered in the OpenSSL FAQ
Is it possible to pass in the subject's key from stdin when creating CSRs with OpenSSL?
Like in the following (non-working)
openssl req -new -key stdin -subj '/C=US/ST=NY/L=Somewhere/organizationName=MyOrg/OU=MyDept/CN=fqdn.of.my.host'
The
-key stdin
part is not working.
I want to use OpenSSL for CSR and certificate creating in a scripting environment, and both keys and subject information are coming from a database.
*nix commands usually use a dash to represent stdin or stdout in the context of file parameters, so -key -
is supposed to read the key from stdin. However, it seems that openssl
doesn't implement this. Luckily, in Linux pretty much everything is a file, including stdin which can be accessed as /dev/stdin
(which is actually a symlink to /proc/self/fd/0
), so the following works:
openssl req -new -key /dev/stdin