On Tue, Jun 13, 2006 19:28:58 PM +0200, io (mfioretti@mclink.it) wrote:
I have a remote server running centos 4.3 and a home desktop running suse 10.1. I have generated an SSL certificate on the server, copied it on the desktop and run on the desktop:
After a lot of googling, I have found that:
openssl -verify -issuer_checks returns:
error 30 at 0 depth lookup:authority and subject key identifier mismatch
which, in turn, seems to be caused by screwed settings of subjectKeyIdentifier and authorityKeyIdentifier in openssl.conf. But I have not changed them from the default:
###################################################################### marco@polaris:~/geecheck/usr/share/ssl> grep -i keyidentifier openssl.cnf subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. authorityKeyIdentifier=keyid:always,issuer:always marco@polaris:~/geecheck/usr/share/ssl> ########################################################################
should I change them? If yes, to which values? The ones suggested at http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-root-pr..., for example: are in contrast with them. I will try those settings tomorrow, but I would really like to hear your opinion, before trying all possible combinations of values...
TIA, marco