[Date Prev][Date Next]
Re: tls init def ctx failed: -1 with my cacert signed certs
Karsten Künne wrote:
> They might not support the AKI extension which is surprising
> as this extension is rather trivial to add.
Well, they should add it to be compliant with PKIX cert profile.
RFC 5280, section 18.104.22.168.:
The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate certification path construction. There is one exception;
where a CA distributes its public key in the form of a "self-signed"
certificate, the authority key identifier MAY be omitted.