Re: Windows 2000, Certificate management bug

From: krish shenoy[MS] (kshenoy@online.microsft.com)
Date: 10/30/02 

From: "krish shenoy[MS]" <kshenoy@online.microsft.com>
Date: Wed, 30 Oct 2002 13:57:38 -0800

1) Does the AKI extension on the intermediate CA certificate match the SKI
extension on the root cert?
2) Does the AKI extension on the user cert ( end certificate) match the SKI
extension in the intermediate CA certificate
The AKI extension is not added by the user. It is always computed by the CA
and added to the cert that it issues
-krish 

--
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"
"Frédéric Giudicelli" <groups@newpki.org> wrote in message
news:exnHfi8fCHA.2392@tkmsftngp08...
> On my computer, when displaying the certificate chain, it shows:
> * End user certificate:
>     TEST ROOT CA
>     |_Frédéric Giudicelli
>
>     The Intermediate CA cert doesn't show.
>
> * Intermediate CA certificate
>     TEST INTERMEDIATE CA
>
> When I remove the "Authority Key Identifier" extension the certificate
chain
> works fine....
>
> The PKCS12 password is 1234.
>
>
> "krish shenoy[MS]" <kshenoy@online.microsft.com> wrote in message
> news:#c5kuQ8fCHA.2436@tkmsftngp10...
> > Can you send the actual certificate chain that was used?
> >
> >
> > --
> > This posting is provided "AS IS" with no warranties and confers no
rights.
> > Use of any included samples is subject to the terms specified at
> > http://www.microsoft.com/info/copyright.htm"
> > "Frédéric Giudicelli" <groups@newpki.org> wrote in message
> > news:#wk95G8fCHA.1420@tkmsftngp10...
> > > Hi,
> > > If a certificate contains teh following extension, windows 2000 SP3,
is
> > > incapable rebuild the certificate chain for verification:
> > >
> > > Authority Key Identifier: Issuer-keyid, Issuer-DN
> > >
> > > This bugs only shows in Windows 2000, there is no problem with XP or
98.
> > > This bug showed up after installing SP3, I do believe there used to be
> > some
> > > kind bug linked to this, that was fixed in SP3.
> > >
> > >
> >
> >
>
>
>

Relevant Pages

  • Re: Windows 2000, Certificate management bug
    ... > 1) Does the AKI extension on the intermediate CA certificate match the SKI ... > 2) Does the AKI extension on the user cert match the ...
    (microsoft.public.win2000.security)
  • Re: X.509 cert not exporting CA chain?
    ... When I tell Tomcat to use this as my keystore, it loads and everything, BUT it shows as "self signed" - no mention that the cert comes from Thawte, which kinds of defeat the purpose... ... Anything wrong with the way I did the certificate request / import / export? ... verify error:num=19:self signed certificate in certificate chain ...
    (comp.lang.java.help)
  • Re: For Brian Komar / David B. Cross
    ... I have made a query before about the AKI extension on the forum and it ... the subordinate CA's certificate will have an AKI ... > number of the issuing CA certificate. ... > The issuing CA certificate will have a matching subject and a matching ...
    (microsoft.public.win2000.security)
  • Re: Win2K certificate chain validity problem
    ... Your end-entity certificate has incorrect AKI extension. ... Certificate Issuer: ... > Issuer serial number matches Key Authority ...
    (microsoft.public.win2000.security)
  • For Brian Komar / David B. Cross
    ... "Troubleshooting Certificate Status and Revocation". ... Exact match. ... the issuer name on the issued certificate must ... But actually on the picture the subject in the AKI extension in the ...
    (microsoft.public.win2000.security)