Removes a duplicate lint regarding RFC 5280: 4.2.1.1.
Additionally, I believe that the lint itself was slightly inaccurate vis-a-vis RFC 5280.
RFC 5280: 4.2.1.1
The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate certification path construction. There is one exception;
where a CA distributes its public key in the form of a "self-signed"
certificate, the authority key identifier MAY be omitted. The
signature on a self-signed certificate is generated with the private
key associated with the certificate's subject public key. (This
proves that the issuer possesses both the public and private keys.)
In this case, the subject and authority key identifiers would be
identical, but only the subject key identifier is needed for
certification path building.
I've attempted to encode this language a bit more precisely in this lint update.
Integration Test Failures
I'm working through smoke checking these fingerprints, but so far it looks reasonable.
For example, fe716ff3996cd6561b6b63a8c440fdf5489cf48f7834283eebd19b380f3fbc22 features a certificate that is indeed a CA, but is not self signed and does not have the authority key id (well, it has the common name and serial, but not the actual identifier).
@mtgag to bring this review to your attention.
Removes a duplicate lint regarding RFC 5280: 4.2.1.1.
Additionally, I believe that the lint itself was slightly inaccurate vis-a-vis RFC 5280.
I've attempted to encode this language a bit more precisely in this lint update.
Integration Test Failures
I'm working through smoke checking these fingerprints, but so far it looks reasonable.
For example, fe716ff3996cd6561b6b63a8c440fdf5489cf48f7834283eebd19b380f3fbc22 features a certificate that is indeed a CA, but is not self signed and does not have the authority key id (well, it has the common name and serial, but not the actual identifier).
Addresses #725