2

I want to cross-sign a third-party root ca (third-party-ca) with my own root ca (r1). (Background: restricting usage)

To do this, I use

openssl x509-in third-party-ca.crt -CA /etc/pki/r1/ca.crt -CAkey /etc/pki/r1/private/ca.key -out third-party-ca-cross-signed.crt -set_serial 1000

This works, but keeps the Authority Key Identifier of the third-party-ca, which would need to be changed to the Subject Key Identifier of r1. (For a in-the-wild example, see letsencrypt ISRG X1 cross-signed by DST Root CA X3)

I'm able to add another Authority Key Identifier by creating an akiext and using -extfile akiext. However, this results in two Authority Key Identifier's.

How can I replace the existing Authority Key Identifier?

Zulakis
  • 4,505

1 Answers1

1

In openssl x509 commandline, you can't selectively delete extension(s); you can use -clrext to drop all input extensions and configure in your -extfile the pre-existing extensions you do want (at minimum BC and KU) plus the new one(s). Note public subordinate or cross CA certs -- such as the one you link -- likely contain AIA and/or CRLDP as well as AKI, all of which are only correct for the issuer/parent you are replacing and thus should be replaced (or removed).

Alternatively you could write code; doing this using the API is straightforward. But that probably belongs on SO or maybe security.SX instead of here. (And you are expected to do part of the work.)

In your specific example, ISRG Root X1 is available both cross-signed by Identrust DST X3 and as a root -- if you start from the root cert it has no AKI or AIA/CRLDP that need to be removed.

Update: as revealed by a subsequent related question OpenSSL 3.0.0 up doesn't allow the non-root input case; it requires the old cert to be selfsigned (a root). Comments in the source indicate this was always intended, though not effectively enforced before.

dave_thompson_085
  • 3,776