CA chain computation
In case of verifying a certificate with a CA or a chain of CAs, the system needs to identify the issuer CA of the certificate in question. The SR OS looks through all configured ca-profiles to find the issuer CA. The following is the method system used to find the issuer CA:
-
The issuer CA’s certificate subject must match the issuer field of the certificate in question.
-
If present, the authority key identifier of the certificate in question must match the subject key identifier of the issuer CA’s certificate.
-
If present, the key usage extension of the issuer CA’s certificate must permit certificate signing.