On Sun, May 14, 2023 at 12:44:48PM -0400, Robert Moskowitz wrote: > I looked at that manpage and tried: > > authorityKeyIdentifier = > otherName:1.3.27.16.2.1.1;BITSTR:20010030000000052aeb9adc1ce8b1ec https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] KeyIdentifier OPTIONAL, authorityCertIssuer [1] GeneralNames OPTIONAL, authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } You're trying to set the AKID to just the GeneralName, but it has to be a tagged sequence, and note that "authorityCertIssuer" is the name of the "grandparent" of the certificate in which the AKID appears, along with the authorityCertIssuer you'd need to provide the serial number of the parent certificate. But as I mentioned before, I don't expect that support for names other than directory names in the AKID extension is particularly common. You're better off with just "keyIdentifier", liking the child cert to the key if of the parent cert. Perhaps I should not have mentioned issuer SANs, you probably have no use for them. Do use the appropriate data type in the EE SAN. -- Viktor.
