The Authority Key Identifier should be the ID of the CA's key. The
Subject Key Identifier should be the ID of the certified key. If
they are the same, then it is a self-signed certificate. (This
information comes from http://oasis-pki.org/pdfs/AKID_SKID1-af3.pdf
-- I'm not sure how OpenSSL derives the key identifiers, but it
really shouldn't matter since the key identifier is essentially
turned into an arbitrary generator-specified nym by that same PDF.)

You made a typo in your tests.

openssl x509 -in ocspss.pem -days 1024 -out ocspss2.pem -CA ca.pem -
CAserial serial

See the ocspss2.pem there?

a dump of ocspss.pem (worked) gives:

Since ocspss.pem was supposed to be a self-signed cert, and
ocspss2.pem wasn't, can you please post the dump of the ocspss2.pem
and test it?

(Also, if you can post the dump of ca.pem, it would help track down
or eliminate AKID/SKID issues.)

[And, this is also barring any odd circumstance like 'outside CA
validity period' or 'trying to sign for longer than the CA is
valid'. A dump of ca.pem will help determine that, as well.]

Thanks!

-Kyle H

On Oct 24, 2007, at 10:09 PM, Simon McMahon wrote:

> I just noticed in the extensions of the certificates that the
> "Subject Key
> Identifier" and "Authority Key Identifier" match in the one which
> works
> and are different in the one which fails. This may explain the
> verification failure.
>
> Looks like openssl has just copied the extensions without looking
> at them.
> It probably should update the "Authority Key Identifier" if it is
> present
> in the extensions.
>
> Simon McMahon
>
>
>
>
>
> Simon McMahon/Australia/Contr/IBM@IBMAU
> Sent by: owner-openssl-users@openssl.org
> 25/10/2007 02:48 PM
> Please respond to
> openssl-users@openssl.org
>
>
> To
> "Kyle Hamilton"
> cc
> openssl-users@openssl.org
> Subject
> Re: refresh validity dates on a certificate
>
>
>
>
>
>
> Great idea!
> That certainly should work but didn't for me.
> My openssl is "OpenSSL 0.9.8b 04 May 2006"
>
> The 1st command worked fine and gave a self-signed cert that looked
> fine.
> See below for a dump of it.
> openssl x509 -in sslcln.pem -days 1024 -out sslcln2.pem
> -signkey sslcln.pem
> The 2nd command returned the same error (see below) as I was getting
> before!
> openssl x509 -in sslcln2.pem -days 1024 -out
> sslcln3.pem -CA
> ca.pem -CAserial serial
>
> Note: sslcln.pem and ca.pem both contain the cert & private key.
>
> To make sure I wasn't just doing it wrong I tried it on another
> self-signed cert, created normally (for ocsp) with "openssl req -
> new -x509
>
> ..."
> openssl x509 -in ocspss.pem -days 1024 -out
> ocspss2.pem -CA
> ca.pem -CAserial serial
> This worked fine, updating the validity preserving the extensions as I
> needed.
>
> Did I do something wrong in command 1?
>
> error from command 2:
> Loading 'screen' into random state - done
> Getting CA Private Key
> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=GSKit/CN=sslcln
> error with certificate - error 20 at depth 0
> unable to get local issuer certificate
> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=GSKit/CN=sslcln
> error with certificate - error 21 at depth 0
> unable to verify the first certificate
>
> a dump of sslcln2.pem (not working) gives:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 15 (0xf)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
> CN=sslcln
> Validity
> Not Before: Oct 25 04:00:23 2007 GMT
> Not After : Aug 14 04:00:23 2010 GMT
> Subject: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
> CN=sslcln
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:a9:b1:99:5a:c2:d5:83:a6:6d:ea:d1:1f:f2:8c:
> bf:43:6c:a2:09:07:f8:14:2f:f7:07:e4:cb:57:d9:
> 53:2e:55:68:86:c8:4d:8f:d2:3a:5a:81:ca:65:b0:
> 83:0a:97:6e:5a:15:f5:df:65:8f:e0:27:e3:dc:d1:
> 84:3a:ac:a2:d8:a9:9e:69:e1:5f:1d:88:10:72:85:
> 7e:ea:a4:db:79:43:0b:63:6b:4f:e0:8f:ee:09:9a:
> 66:14:bb:b1:48:2d:17:0f:da:c0:f9:12:8e:a2:98:
> a5:61:86:85:14:10:30:c2:28:00:fd:0c:cb:ca:71:
> 9f:34:e0:8e:f5:25:f0:73:93
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> 8B:44:9A:12:AE:E10:7F:6F:0C:60:87:1E:A6:8A8:9C:3D:57:57
> X509v3 Authority Key Identifier:
> keyid:89:9E:C2:C4:E6:87:4E:C2C:9EE:A75:BE:64:F6:BF:2C:1E:2C
>
> X509v3 Subject Alternative Name:
>
>
> Signature Algorithm: sha1WithRSAEncryption
> 3a:15:9e:2d:0f:01:aa:b7:a2:86:b8:09:47:6b:00:7f:16 :3a:
> 32:46:11:be:06:16:f0:b8:cc:67:6e:8e:fe:32:14:5d:87 :1c:
> ea:da:fa:81:e8:e7:e8:9f:c5:e1:06:4b:cc:2e:de:f7:bc :df:
> 9e:60:be:94:23:67:b9:76:c9:47:4d:0c:ab:61:a5:eb:5e :3e:
> d3:50:c5:4b:4c:d3:92:a3:7e:31:03:dd:68:64:6a:e3:53 :df:
> 26:0b:c0:a0:d7:ff:a6:7d:5b:29:6f:50:8a:b7:8e:45:90 :c8:
> 1f:2e:a2:43:14:69:54:32:82:3c:90:b1:70:b2:8e:c1:b7 :5d:
> df:f7
>
> a dump of ocspss.pem (worked) gives:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> ce:f1:9e:49:5a:60:ca:63
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit,
> CN=ocspss
> Validity
> Not Before: Oct 6 06:53:16 2006 GMT
> Not After : Oct 5 06:53:16 2009 GMT
> Subject: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit,
> CN=ocspss
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:df:2b:01:4f:21:f0:ba:3d:e1:e3:e2:02:a2:c0:
> 9e:82:a4:e3:a7:7a:d4:84:6e:fe:a8:5e:26:a5:ff:
> 80:80:d2:6e:7e:24:4d:ad:ca:b6:f6:c5:9b:b4:02:
> 9b:39:ca:9d:b4:48:99:6f:43:d6:f8:58:b8:ff:29:
> 21:3f:35:40:d3:40:dd:8f:a8:36:f2:3e:5e:ed:72:
> 5f:01:00:40:b5:9d:5c:3e:92:a3:7d:4b:a8:51:22:
> dd:6d:ab:e2:a6:f1:e1:52:30:bb:64:4b:82:33:af:
> bc:23:2e:4e:0d:5b:d5:b7:71:2f:64:52:cc:78:d0:
> 53:9d:ad:2b:ef:7e:16:21:cb
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Extended Key Usage:
> OCSP Signing
> Netscape Comment:
> OpenSSL Generated OCSP Certificate
> X509v3 Subject Key Identifier:
> AB:66:CE:08D:F2:3F:9E:45:67:694:05:8C:28:85:0C:F6:08:18
> X509v3 Authority Key Identifier:
> keyid:AB:66:CE:08D:F2:3F:9E:45:67:694:05:8C:28:85:0C:F6:08:18
>
> X509v3 Subject Alternative Name:
>
>
> Signature Algorithm: sha1WithRSAEncryption
> 65:6f:a9:c8:b2:e5:83:e6:20:c5:00:55:61:df:ee:ee:45 :1d:
> ff:fb:3e:87:1b:2e:b5:92:d3:ce:a5:8e:06:22:1d:73:eb :68:
> 59:45:a1:51:e4:a6:9d:e9:d4:10:c9:a7:2d:a4:3b:34:49 :0a:
> 3c:fa:9f:a1:16:49:6f:f1:5c:07:6b:05:40:1d:0f:1e:05 :71:
> 43:60:b9:d5:32:f6:d7:a8:6b:9c:5e:8e:1b:e9:ab:d8:51 :96:
> a1:cd:79:c4:6a:4d:5d:e5:d4:9f:10:a8:86:b4:4e:ab:8a :97:
> 70:7e:13:39:c9:0c:2d:38:4b:2e:ae:21:f7:b7:3a:a0:82 :03:
> c3:fd
>
>
> Simon McMahon
>
>
>
>
> "Kyle Hamilton"
> 25/10/2007 01:09 PM
>
> To
> openssl-users@openssl.org, Simon McMahon/Australia/Contr/IBM@IBMAU
> cc
>
> Subject
> Re: refresh validity dates on a certificate
>
>
>
>
>
>
> What I would do is a pair of commands:
>
> $ openssl x509 -in currentcertificate.pem -out selfsigned.pem -days
> 1024 -signkey currentkey.pem
> $ openssl x509 -in selfsigned.pem -days 1024 -CA ca.pem -CAserial
> serial -out refreshedcert.pem -outform PEM
>
> Since you're creating a self-signed cert in the first command, the
> input is appropriate for the -CA function.
>
> Note, under the BUGS section of the 'x509' man page, it says:
> "Extensions in certificates are not transferred to certificate
> requests and vice versa." So you can't just convert to request and
> then sign the request. However, extensions are retained from cert to
> cert if you don't use the -clrext option.
>
> -Kyle H
>
>
> On 10/24/07, Simon McMahon wrote:
>> I found this in the pkcs#12 FAQ:
>>
>>
>> 2. Extend the CA expiry date with e.g.:
>> openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -
>> signkey
>> demoCA/private/cakey.pem
>> ...
>>
>> This is almost correct for me, and it even preserves the
>> extensions, but
>> it always produces a self-signed cert by resetting the issuer.
>>
>> I also tried the following, where my cert is in ee.pem (signed by

> ca.pem):
>>
>> openssl x509 -in ee.pem -days 1024 -out ee_1.pem
>> -CA
>> ca.pem -CAserial serial
>>
>> It fails like this:
>> Loading 'screen' into random state - done
>> Getting CA Private Key
>> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
>> error with certificate - error 20 at depth 0
>> unable to get local issuer certificate
>> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
>> error with certificate - error 21 at depth 0
>> unable to verify the first certificate
>>
>> The doc says "Without the -req option the input is a certificate
>> which
>> must be self signed" and the ee cert obviously isn't self-signed. Is

> there
>> any command options that can get this to work?
>>
>> I can write a program to do this but since it works already for
>> self-signed certs, I would have thought it would already be in
>> openssl.
>> Any reason why it's not in the 'openssl' command line tool?
>> If I patch the openssl tool to add this will it get integrated
>> into the
>> main code base? I.e. would anyone else use this to refresh end-user

> certs?
>>
>> Simon McMahon

>
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
>


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org