Re: error 20 at 0 depth lookup:unable to get local issuer certificate error

Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> · Thu, 25 Jan 2018 12:24:53 -0500

> On Jan 25, 2018, at 4:59 AM, Oleg Smelkoff <osmelkov@xxxxxxxxx> wrote:
> 
> As I tought, reason of that problem was incorrect AKID of EE-certificate,
> cause AKID has to identify the issuer of the issuer,

That is indeed the problem, but your statement above is not accurate.
In the AKID extension the following rules apply:

   (See https://tools.ietf.org/html/rfc5280#section-4.2.1.1)

   1. The "keyIdentifier" (keyid), if present, must match the subject key
      ID of the issuing CA's certificate (not the issuer of the issuer)

   2. The "authorityCertSerialNumber", if present, must match the serial
      number of issuing CA's certificate (not the issuer of the issuer)

   3. The "authorityCertIssuer" (DirName), if present, must match the
      issuer DN of the issuing CA's certificate.

It is part 3 that is perhaps confusing you a bit, because it is also
the subject DN of the issuing CA's issuer.

> Could you help me, please. I'm really stucked at this problem :(

The above requirements are not met by D2, because C2's issuer:

  OBJECT            :INN
  NUMERICSTRING     :007710474375
  OBJECT            :OGRN
  NUMERICSTRING     :1047702026701
  OBJECT            :emailAddress
  IA5STRING         :dit@xxxxxxxxxxx
  OBJECT            :streetAddress
  UTF8STRING        :125375 г. Москва ул. Тверская д.7
  OBJECT            :organizationName
  UTF8STRING        :Минкомсвязь России
  OBJECT            :localityName
  UTF8STRING        :Москва
  OBJECT            :stateOrProvinceName
  UTF8STRING        :77 г. Москва
  OBJECT            :countryName
  PRINTABLESTRING   :RU
  OBJECT            :commonName
  UTF8STRING        :УЦ 1 ИС ГУЦ

Does not match D2's AKID DirName:

  OBJECT            :OGRN
  NUMERICSTRING     :1069659052760
  OBJECT            :INN
  NUMERICSTRING     :006659140843
  OBJECT            :countryName
  PRINTABLESTRING   :RU
  OBJECT            :stateOrProvinceName
  UTF8STRING        :66 Свердловская область
  OBJECT            :localityName
  UTF8STRING        :Екатеринбург
  OBJECT            :streetAddress
  UTF8STRING        :ул. Первомайская, д. 15
  OBJECT            :organizationalUnitName
  UTF8STRING        :Удостоверяющий центр
  OBJECT            :organizationName
  UTF8STRING        :ООО "МОСТИНФО"
  OBJECT            :commonName
  UTF8STRING        :Подчиненный УЦ 2.0

While D1's AKID DirName is:

  OBJECT            :INN
  NUMERICSTRING     :007710474375
  OBJECT            :OGRN
  NUMERICSTRING     :1047702026701
  OBJECT            :emailAddress
  IA5STRING         :dit@xxxxxxxxxxx
  OBJECT            :streetAddress
  UTF8STRING        :125375 г. Москва ул. Тверская д.7
  OBJECT            :organizationName
  UTF8STRING        :Минкомсвязь России
  OBJECT            :localityName
  UTF8STRING        :Москва
  OBJECT            :stateOrProvinceName
  UTF8STRING        :77 г. Москва
  OBJECT            :countryName
  PRINTABLESTRING   :RU
  OBJECT            :commonName
  UTF8STRING        :УЦ 1 ИС ГУЦ

which does match the C1's and C2's common issuer DN, that is, B's subject DN.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users