On Fri, Jun 02, 2023 at 06:08:05AM +0200, David von Oheimb wrote:
> Correct that doing so, any existing AKID will need to be removed, or
> better replaced. BTW, the x509 app already contains code filtering
> out both AKID and SKID extensions when converting a certificate to a
> PKCS#10 CSR. In that use case the self-signedness does make sense,
> and I suspect that the restriction on the input cert being self-signed
> historically stems from that use case.
You misunderstood my point. The problem AKIDs are not those in the
intermediate issuer cert, they could be in the *issued* EE certificates,
which the OP is not in a position to replace. Admittedly "dirname"
AKIDs are not common, and could be a non-issue in this case, but they
are a potential obstacle to cross-certs for intermediate CAs.
--
Viktor.
