search

shibayan / keyvault-acmebot

Automated ACME SSL/TLS certificates issuer for Azure Key Vault (App Service / Container Apps / App Gateway / Front Door / CDN / others)
Apache License 2.0
921 stars 238 forks source link

Basic Constraints in CSRs #776

Open ChristianBrandenburg opened 1 week ago

ChristianBrandenburg commented 1 week ago

Is your feature request related to a problem? Please describe. I am trying to setup keyvault-acmebot with a custom CA (GlobalSign Atlas). Adding the Atlas endpoint is not a problem, but issuance of certificates fail due to OID 2.5.29.19/Basic Constraints being present in CSRs generated by keyvault-acmebot

Describe the solution you'd like I would like CSRs not to be generated with OID 2.5.29.19/Basic Constraints. CA's usually ignore Basic Constraints (and Key usage extensions) in the CSRs they receive because they have to be added by CA's themselves according to their certificate profiles.

shibayan commented 10 hours ago

I don't know much about CSR, so I'm using the default values generated by Key Vault, but I don't understand what will improve and what the impact will be with this proposal.