Open Bug 1372079 Opened 8 years ago Updated 3 years ago

certutil should add Authority Key Identifier and Subject Key Identifier extensions automatically

Categories

(NSS :: Tools, defect, P3)

Product:
NSS
Component:
Tools
Version:
3.30
Type:
defect

Tracking

(Not tracked)

People

(Reporter: ftweedal, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Build ID: 20170420084331 Steps to reproduce: certutil does not add Authority Key Identifier (AKI) and Subject Key Identifier (SKI) extensions to certificates by default. These extensions are required by RFC 5280 and many programs break if they are not present on certificates (they are used to facilitate certification path construction). They can be added explicitly by the user, but this interface is awkward and should not be necessary. For the SKI, the common practice is to use the SHA-1 digest of the subjectPublicKey BIT STRING as the Subject Key Identifier, although any method of generating random, collision-resistant numbers is acceptable. For a self-signed certificate, the AKI should be the SKI. For other certificates, the SKI of the signing CA should be propagated to the AKI of the subject during signing. For both AKI and SKI, the extension MUST be non-critical. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. create a certificate (self-signed or not). observe that the extensions are not added by default. Actual results: Authority Key Identifier and Subject Key Identifier extensions are not present on the new certificate. Expected results: Expected results: these extensions should be added by default. Additional info: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.