Generated X.509 certs should be RFC 5280 compliant by default

Meanwhile we have stronger checks for X.509 certificates to comply to RFC 5280, 
at least when strict checking is enabled (e.g., using `-x509_strict`).

Yet unfortunately the OpenSSL apps by default tend to generate certs that are not compliant.
In particular, X.509v3 certs (i.e., those having any X.509 extensions) MUST include 
*  an authority key identifier (AKID) with the exception of self-signed certs - see https://tools.ietf.org/html/rfc5280#section-4.2.1.1
* a subject key identifier (SKID) with the exception of non-CA certs - see https://tools.ietf.org/html/rfc5280#section-4.2.1.2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Generated X.509 certs should be RFC 5280 compliant by default #13603

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Generated X.509 certs should be RFC 5280 compliant by default #13603

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions