ca: include SubjectKeyId and AuthorityKeyId in certificates

edgelesssys / contrast

Deploy and manage confidential containers on Kubernetes

https://docs.edgeless.systems/contrast

GNU Affero General Public License v3.0

161 stars 6 forks source link

ca: include SubjectKeyId and AuthorityKeyId in certificates #655

Closed burgerdev closed 1 day ago

burgerdev commented 2 days ago

We accidentally used the certificate templates instead of the final certificates for signing intermediate and leaf, which caused the *KeyId fields to be missing. These fields are mandatory in TLSv3, and our certs did not pass strict verification accordingly.

This PR also adds additional tests for the recovery scenario, enforces x509_strict on the OpenSSL tests and removes unnecessary CA and template fields.

edgelessci commented 1 day ago

Successfully created backport PR for release/v0.7:

edgelesssys / contrast

ca: include SubjectKeyId and AuthorityKeyId in certificates #655

657