Re: Windows 2000, Certificate management bug

From: Frédéric Giudicelli (groups@newpki.org)
Date: 10/30/02 

From: "Frédéric Giudicelli" <groups@newpki.org>
Date: Wed, 30 Oct 2002 23:55:45 +0100

1) Yes
2) Yes

I honestly don't understand where it's coming from.

"krish shenoy[MS]" <kshenoy@online.microsft.com> wrote in message
news:u4Pzv8FgCHA.2164@tkmsftngp11...
> 1) Does the AKI extension on the intermediate CA certificate match the SKI
> extension on the root cert?
> 2) Does the AKI extension on the user cert ( end certificate) match the
SKI
> extension in the intermediate CA certificate
> The AKI extension is not added by the user. It is always computed by the
CA
> and added to the cert that it issues
> -krish
>
>
> --
> This posting is provided "AS IS" with no warranties and confers no rights.
> Use of any included samples is subject to the terms specified at
> http://www.microsoft.com/info/copyright.htm"
> "Frédéric Giudicelli" <groups@newpki.org> wrote in message
> news:exnHfi8fCHA.2392@tkmsftngp08...
> > On my computer, when displaying the certificate chain, it shows:
> > * End user certificate:
> > TEST ROOT CA
> > |_Frédéric Giudicelli
> >
> > The Intermediate CA cert doesn't show.
> >
> > * Intermediate CA certificate
> > TEST INTERMEDIATE CA
> >
> > When I remove the "Authority Key Identifier" extension the certificate
> chain
> > works fine....
> >
> > The PKCS12 password is 1234.
> >
> >
> > "krish shenoy[MS]" <kshenoy@online.microsft.com> wrote in message
> > news:#c5kuQ8fCHA.2436@tkmsftngp10...
> > > Can you send the actual certificate chain that was used?
> > >
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties and confers no
> rights.
> > > Use of any included samples is subject to the terms specified at
> > > http://www.microsoft.com/info/copyright.htm"
> > > "Frédéric Giudicelli" <groups@newpki.org> wrote in message
> > > news:#wk95G8fCHA.1420@tkmsftngp10...
> > > > Hi,
> > > > If a certificate contains teh following extension, windows 2000 SP3,
> is
> > > > incapable rebuild the certificate chain for verification:
> > > >
> > > > Authority Key Identifier: Issuer-keyid, Issuer-DN
> > > >
> > > > This bugs only shows in Windows 2000, there is no problem with XP or
> 98.
> > > > This bug showed up after installing SP3, I do believe there used to
be
> > > some
> > > > kind bug linked to this, that was fixed in SP3.
> > > >
> > > >
> > >
> > >
> >
> >
> >
>
>

Relevant Pages

  • Re: Windows 2000, Certificate management bug
    ... Does the AKI extension on the intermediate CA certificate match the SKI ... Does the AKI extension on the user cert match the SKI ... > When I remove the "Authority Key Identifier" extension the certificate chain> works fine.... ...
    (microsoft.public.win2000.security)
  • Re: For Brian Komar / David B. Cross
    ... I have made a query before about the AKI extension on the forum and it ... the subordinate CA's certificate will have an AKI ... > number of the issuing CA certificate. ... > The issuing CA certificate will have a matching subject and a matching ...
    (microsoft.public.win2000.security)
  • Re: Win2K certificate chain validity problem
    ... Your end-entity certificate has incorrect AKI extension. ... Certificate Issuer: ... > Issuer serial number matches Key Authority ...
    (microsoft.public.win2000.security)
  • For Brian Komar / David B. Cross
    ... "Troubleshooting Certificate Status and Revocation". ... Exact match. ... the issuer name on the issued certificate must ... But actually on the picture the subject in the AKI extension in the ...
    (microsoft.public.win2000.security)
  • Re: ADFS Token-signing Certs Not in Trusted Root Store
    ... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
    (microsoft.public.windows.server.active_directory)