Closed zacikpa closed 4 years ago
OK, they are more consistent now. And thanks for adding cert_signing_key
and crl_signing_key
where necessary. (Sidenote: Does OpenSSL check for this? I mean, does validation really fail if this attribute is not present?)
Just a question: I see that in multiple cases, the attributes signing_key
and encryption_key
were dropped from the endpoint configurations. Why was this the case?
Note for the future: I'd separate commits changing the functionality (adding/removing attributes) and cosmetic ones just adjusting comments. (Reasoning: If adding/removing an attribute breaks/removes something, tracking it down in this commit with +478/-642 changes will be a pain.)
(Sidenote: Does OpenSSL check for this? I mean, does validation really fail if this attribute is not present?)
No, it doesn't. I'm not sure why this is the case. The error X509_V_ERR_KEYUSAGE_NO_CERTSIGN should be the one to get thrown according to its name and some comments in the code, but that one is marked deprecated in the docs.
Just a question: I see that in multiple cases, the attributes
signing_key
andencryption_key
were dropped from the endpoint configurations. Why was this the case?
I wondered why they were there in the first place. The answer is that these attributes are present in the template found in certtool documentation. However, none of our end certificates' public keys are used for any signing _(signingkey) or encipherment _(encryptionkey). I removed them so that they don't confuse anyone.
Note for the future: I'd separate commits changing the functionality (adding/removing attributes) and cosmetic ones just adjusting comments.
Acknowledged, thank you for the suggestion.
I put the comments back into the config files, simplifying a few of them.