I think you're right, there's an issue with AKID/SKID in x509 -
signkey. (I'm sending this on to rt@openssl.org, to open a ticket
for it.)

Repeat the mantra: "Only the Certifier has AKID == SKID.
Certificates have AKID == CA's SKID."

Now, forget the mantra, cuz the only exception is self-signed
certificates. (which is all a CA's certificate really is, if it's a
trust anchor.)

Since x509 -signkey is supposed to create self-signed certificates,
it's supposed to set AKID == SKID.

Now. I'm on OpenSSL 0.9.8e 23 Feb 2007, and I just did the following
sequence:

mkdir phase1
mkdir phase2
CA.pl -newca (generate demoCA/cacert.pem and demoCA/private/
cakey.pem) (SKID A8:2E, AKID A8:2E)
CA.pl -newcert (generate newcert.pem and newkey.pem) (SKID D8:75,
AKID D8:75)
mv *.pem phase1
CA.pl -newreq (generate newreq.pem and newkey.pem)
CA.pl -sign (generate newcert.pem) (SKID FB:9E, AKID A8:2E)
mv *.pem phase2
cd phase2
openssl x509 -in newcert.pem -out intermediary.pem -signkey newkey.pem

intermediary.pem reports SKID FB:9E, AKID A8:2E. It should set AKID
= SKID for -signkey, and so the AKID should be FB:9E.

-Kyle H

On Oct 24, 2007, at 11:01 PM, Simon McMahon wrote:

> Hi,
>
> cross ref on support list: "Re: refresh validity dates on a
> certificate".
>
> While trying to refresh validity on certs I noticed that "openssl
> x509 ...
> -signkey filename" modifies the issuer name. It also preserves the
> extensions but appears to copy them verbatum. If there is a "X509v3
> Authority Key Identifier" in there then it may not match the
> issuers key
> in the resulting cert. If it is producing a self-signed cert then
> surely
> the AKI and the SKI should be the same.
>
> Other openssl commands appear to try to verify this resulting cert and
> fail.
>
> I think if openssl is going to set the issuer and resign the cert
> then it
> should also update the AKI if it is present in the extensions.
> If it sets the subject public key then it should also update the
> "X509v3
> Subject Key Identifier" extension if present.
>
> I was using 9.8b.
>
> This is a cert where subject = issuer but ski != aki. In this case it
> should be aki = ski.
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 15 (0xf)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
> CN=sslcln
> Validity
> Not Before: Oct 25 04:00:23 2007 GMT
> Not After : Aug 14 04:00:23 2010 GMT
> Subject: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
> CN=sslcln
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:a9:b1:99:5a:c2:d5:83:a6:6d:ea:d1:1f:f2:8c:
> bf:43:6c:a2:09:07:f8:14:2f:f7:07:e4:cb:57:d9:
> 53:2e:55:68:86:c8:4d:8f:d2:3a:5a:81:ca:65:b0:
> 83:0a:97:6e:5a:15:f5:df:65:8f:e0:27:e3:dc:d1:
> 84:3a:ac:a2:d8:a9:9e:69:e1:5f:1d:88:10:72:85:
> 7e:ea:a4:db:79:43:0b:63:6b:4f:e0:8f:ee:09:9a:
> 66:14:bb:b1:48:2d:17:0f:da:c0:f9:12:8e:a2:98:
> a5:61:86:85:14:10:30:c2:28:00:fd:0c:cb:ca:71:
> 9f:34:e0:8e:f5:25:f0:73:93
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> 8B:44:9A:12:AE:E10:7F:6F:0C:60:87:1E:A6:8A8:9C:3D:57:57
> X509v3 Authority Key Identifier:
> keyid:89:9E:C2:C4:E6:87:4E:C2C:9EE:A75:BE:64:F6:BF:2C:1E:2C
>
> X509v3 Subject Alternative Name:
>
>
> Signature Algorithm: sha1WithRSAEncryption
> 3a:15:9e:2d:0f:01:aa:b7:a2:86:b8:09:47:6b:00:7f:16 :3a:
> 32:46:11:be:06:16:f0:b8:cc:67:6e:8e:fe:32:14:5d:87 :1c:
> ea:da:fa:81:e8:e7:e8:9f:c5:e1:06:4b:cc:2e:de:f7:bc :df:
> 9e:60:be:94:23:67:b9:76:c9:47:4d:0c:ab:61:a5:eb:5e :3e:
> d3:50:c5:4b:4c:d3:92:a3:7e:31:03:dd:68:64:6a:e3:53 :df:
> 26:0b:c0:a0:d7:ff:a6:7d:5b:29:6f:50:8a:b7:8e:45:90 :c8:
> 1f:2e:a2:43:14:69:54:32:82:3c:90:b1:70:b2:8e:c1:b7 :5d:
> df:f7
>
> Simon McMahon
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org