i asked a question about the whole aKID and sKID piece on the pkix list
and Peter Gutmann said something that I had lost track of in the weeds...
The content of keyid used in:
authorityKeyIdentifier = keyid
Is the sKID from the signing cert. argh.
So going back to the hack that Viktor had given me to have control over
the Validity dates in my self-signed cert,,,,
I realized that was where the aKID was really coming from, and that cert
was generated before I worked out controlling sKID in the conf:
subjectKeyIdentifier = $ENV::DET
So go all the way back to start.
and Now I have my certs with the sKID and aKID I was trying to get.
Well there is 2+ days of struggle and distracting all of you from other
tasks!
Thank you Viktor for you time.
I can't directly control what is in aKID, as it is pulling aKID from the
signing cert. Fix that and..
Bob
On 5/14/23 15:28, Robert Moskowitz wrote:
On 5/14/23 14:00, Viktor Dukhovni wrote:
On Sun, May 14, 2023 at 12:44:48PM -0400, Robert Moskowitz wrote:
I looked at that manpage and tried:
authorityKeyIdentifier =
otherName:1.3.27.16.2.1.1;BITSTR:20010030000000052aeb9adc1ce8b1ec
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber
OPTIONAL }
You're trying to set the AKID to just the GeneralName, but it has to be
a tagged sequence,
I did spend some time digging to get what a "tagged sequence" is let
alone represent it but can't find it in 5280
and note that "authorityCertIssuer" is the name of
the "grandparent" of the certificate in which the AKID appears, along
with the authorityCertIssuer you'd need to provide the serial number
of the parent certificate.
The two together seems only mandated in sec A.2.
I am not finding any discussion on authorityCertIssuer being that of
the "grandparent", can you point me to that?
But as I mentioned before, I don't expect that support for names other
than directory names in the AKID extension is particularly common.
Well I could put:
e.d.c.a.b.0.b.e.0.6.8.2.e.0.b.9.5.0.8.f.f.3.e.f.f.3.0.0.1.0.0.2.ip6.arpa.
? It will exist (we are for now doing this under driptesting.org as it
will be a bit of process to get 3.0.0.1.0.0.2.ip6.arpa. delegated).
But that is 73 bytes to show a 16 byte value.
You're better off with just "keyIdentifier", liking the child cert
to the key if of the parent cert.
I assume you mean:
authorityKeyIdentifier = keyid
and I can't see how to set keyid to 20010030000000052aeb9adc1ce8b1ec
I can control subjectKeyIdentifier like:
subjectKeyIdentifier = 20010030000000052aeb9adc1ce8b1ec
X509v3 Subject Key Identifier:
20:01:00:30:00:00:00:05:2A:EB:9A:DC:1C:E8:B1:EC
Which is defined as:
SubjectKeyIdentifier ::= KeyIdentifier
I tried
authorityKeyIdentifier = keyid=20010030000000052aeb9adc1ce8b1ec
And get an error
authorityKeyIdentifier = keyid:20010030000000052aeb9adc1ce8b1ec
Just uses the keyid as is:
X509v3 Authority Key Identifier:
0F:4E:5E:54:C2:4F:80:9E:E5:79:CD:B4:14:9B:BF:EB:A8:57:CB:CA
Perhaps I should not have mentioned issuer SANs, you probably have no
use for them. Do use the appropriate data type in the EE SAN.
