Closed linoVer closed 2 years ago
RalphBragg
commented
3 years ago @OpenBanking-Brasil/gt-seguranca - we need guidance on this ticket. The specifications currently state that only clientAuth should be included in this profile however ICP and the Browser CAB forum want both serverAuth and clienAuth. We can change sandbox to explicitly match what is published OR we can update the scripts to generate CSRs in line with the CAB forum.
DeiGratia33
commented
2 years ago Per CAB/Forum, the extended Key usage is required and may contain both, or just one of it.
" Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present. Other values SHOULD NOT be present. The value anyExtendedKeyUsage MUST NOT be present. "
In my opnion the correct logic for verification in case of client certificates is check if ClientAuth is present, must not an exactly match or restrictions of aditional properties.
ginglass
commented
2 years ago Could someone of @OpenBankingBrasil-GtSeg could help with this request? I agree that it really important to deal with this issue
RalphBragg
commented
2 years ago This was actioned at the request of gt security and can be closed.
balasubhramanian
commented
2 years ago Hi @RalphBragg , I am currently facing this issue. Can you please let me know the solution for this. I am trying upload to CSR with serverAuth as extendedKeyUsage to generate the server certificate
I am trying to upload a brcac.csr in the software statement, I did it before, but I'm getting the error below.
Certificate Request Validation Error - Extended Key Usage validation failed, could not find Server Auth purpose