diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-08-27 11:34:23 +0200 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-11-08 09:15:13 +0100 |
commit | 9bf1061c44c81059102cd4749f6078b6ce71da9d (patch) | |
tree | e79e5c54b5d979cef00e9b174fc65e2ffee0add5 /doc/man5 | |
parent | 03ee2e5b1ecd1832d99d07fc459ecf62f5a0b168 (diff) |
APPS/x509: Fix generation of AKID via v2i_AUTHORITY_KEYID()
Fixes #16300
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16442)
Diffstat (limited to 'doc/man5')
-rw-r--r-- | doc/man5/x509v3_config.pod | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 1d4c4dc3ae..2a3afee27f 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -194,13 +194,16 @@ Otherwise it may have the value B<keyid> or B<issuer> or both of them, separated by C<,>. Either or both can have the option B<always>, indicated by putting a colon C<:> between the value and this option. +For self-signed certificates the AKID is suppressed unless B<always> is present. By default the B<x509>, B<req>, and B<ca> apps behave as if "none" was given for self-signed certificates and "keyid, issuer" otherwise. -If B<keyid> is present, an attempt is made to compute the hash of the public key -corresponding to the signing key in case the certificate is self-signed, -or else to copy the subject key identifier (SKID) from the issuer certificate. -If this fails and the option B<always> is present, an error is returned. +If B<keyid> is present, an attempt is made to +copy the subject key identifier (SKID) from the issuer certificate except if +the issuer certificate is the same as the current one and it is not self-signed. +The hash of the public key related to the signing key is taken as fallback +if the issuer certificate is the same as the current certificate. +If B<always> is present but no value can be obtained, an error is returned. If B<issuer> is present, and in addition it has the option B<always> specified or B<keyid> is not present, |