1

I am having problem using the exemple provided by OpenSSL to create a certificate Request with v3 extensions. This entire code can be found in the mkreq.c in Openssl/demos/x509/

Adding some x509v3 extensions to a cert request is working good. I can add the Key usage or a subject alt name

add_ext(exts, NID_key_usage, "critical,digitalSignature,keyEncipherment");
add_ext(exts, NID_subject_alt_name, "email:steve@openssl.org");

but when I try to add an AuthorityKeyIdentifier this is not working...

add_ext(exts, NID_authority_key_identifier, "keyid,issuer");

The add_ext is also provided in the mkreq :

int add_ext(STACK_OF(X509_REQUEST) *sk, int nid, char *value)
{
X509_EXTENSION *ex;
ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
if (!ex)
    return 0;
sk_X509_EXTENSION_push(sk, ex);

return 1;
}

Do somebody have a clue why some extensions are working and some not ? When I add the same extensions for self-signed its working well...

4

2 回答 2

1

经过一段时间的重新搜索,这似乎是不可能的,因为您在创建证书请求时不知道 CA...

于 2013-11-13T15:24:47.043 回答
1

我发现以下值得分享,但我不确定这是否与您的情况有关。

在命令行上生成自签名证书时,某些扩展的顺序很重要。如果要将 keyid 用作权限密钥 id,则必须先声明 subjectKeyIdentifier。

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

在这种情况下, authorityKeyIdentifier 将填充 keyid,并且不会使用 issuer。

如果您以相反的顺序声明,authorityKeyIdentifier 将改为使用颁发者填充。可能是因为程序试图根据subjectKeyIdentifier初始化authorityKeyIdentifier。

如果您声明authorityKeyIdentifier = keyid:always了 ,则会引发硬错误,因为 keyid 未知。

我希望它会帮助某人。我花了一段时间来解决那个问题。

于 2015-07-09T21:50:06.147 回答