Closed flihp closed 6 months ago
This can be worked around by identifying the issuer through the issuer-key
instead of issuer-certificate
node. We only need the key to generate authority-key-identifier
so generating it instead of copying it from the issuer-certificate
works fine.
The
authorityKeyIdentifier
is defined here: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1. We're able to set this field for certs that aren't the root / self-signed. Attempts to set this field on a root / self-signed cert produces an error. For input:the command to generate the cert fails with the following:
It appears as though we're only able to generate this field for certs with a parent that exists on disk. All of this said it doesn't make a ton of sense to set this field on a root cert because it'll be identical to the
subject-key-identifier
and that one works fine. Still, it's a valid config for a cert, and the RFC states that for self-signed certs itMAY
be omitted (implying that it's not required). AFAIKopenssl ca
generates self-signed certs w/ both theauthorityKeyIdentifier
and thesubjectKeyIdentifier
set so I'd say we should support this config unless the work is prohibitively expensive.