On Wed, Sep 20, 2017 at 5:48 PM, Jordan Brown <openssl@xxxxxxxxxxxxxxxxxxxx> wrote: > ... > The above also works with "authorityCertSerialNumber", see > > https://tools.ietf.org/html/rfc5280#section-4.2.1.1 > > If, however, the newer certificate has a different key, and the same > subject DN, but does not place matching distinct subject key identifiers > in the certificates it issues, then OpenSSL will not correctly handle > multiple candidate issuers that differ in the public key, but provide > no hints in the issued certificates which issuer to use. > > I'm not familiar with those extensions and will need to do more research. I believe the controlling IETF document is "Internet X.509 Public Key Infrastructure: Certification Path Building", https://tools.ietf.org/html/rfc4158. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
