We accidentally used the certificate templates instead of the final certificates for signing intermediate and leaf, which caused the *KeyId fields to be missing. These fields are mandatory in TLSv3, and our certs did not pass strict verification accordingly.
This PR also adds additional tests for the recovery scenario, enforces x509_strict on the OpenSSL tests and removes unnecessary CA and template fields.
We accidentally used the certificate templates instead of the final certificates for signing intermediate and leaf, which caused the
*KeyId
fields to be missing. These fields are mandatory in TLSv3, and our certs did not pass strict verification accordingly.This PR also adds additional tests for the recovery scenario, enforces
x509_strict
on the OpenSSL tests and removes unnecessary CA and template fields.