“X509v3 Authority Key Identifier” or “authorityKeyIdentifier” is an X509v3 extension that’s added to X509 certificates and identifies the CA that signed the Certificate. I suppose that this speeds up the certificate validation process by eliminating multiple checks.
Edit openssl.cnf and make sure that authorityKeyIdentifier does not include “issuer”
There’s an issue when using the default OpenSSL configuration or when basing a config on that: the default OpenSSL configuration has the following:
In the section that lists options for user certificates (i.e. not the CA section). The above results in new certificates using the extension and include two identifiers for the signing CA:
- The Key ID of the CA’s cert (because if “keyid”)
- The subject and the serial number of the CA’s cert (because of issuer)
X509v3 Authority Key Identifier: keyid:7E:E5:82:FF:FF:FF:15:96:9B:40:FF:C9:5E:51:FF:69:67:4D:BF:FF DirName:/C=UK/O=V13/OU=V13/CN=V13 Certificate Authority serial:8E:FF:A2:1B:74:DD:54:FF
And this is where the pain and the suffering happens: If you ever decide that you want to re-create the CA’s certificate using the same private key then you won’t be able to do so because all certificates that are already signed dictate the subject and the serial number of the old certificate as the CA certificate identifier. Thus your new CA certificate will not be able to verify the existing certificates.
Thus the only way to replace your certificate would be:
- To start from scratch recreating all certificates, or
- to create another CA certificate with the same subject and serial number (not tested)
Recreating a certificate with the same details (like serial number) will make it impossible to have both certificates available and will most probably cause a mess.
The best approach is to completely remove the “issuer” from authorityKeyIdentifier from the configuration file. Then only the Key ID will be used to identify the CA which should be more than enough.
So use the following and live a happy life: