[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls init def ctx failed: -1 with my cacert signed certs



Karsten Künne wrote:
> They might not support the AKI extension which is surprising 
> as this extension is rather trivial to add.

Well, they should add it to be compliant with PKIX cert profile.

RFC 5280, section 4.2.1.1.:

   The keyIdentifier field of the authorityKeyIdentifier extension MUST
   be included in all certificates generated by conforming CAs to
   facilitate certification path construction.  There is one exception;
   where a CA distributes its public key in the form of a "self-signed"
   certificate, the authority key identifier MAY be omitted.

Ciao, Michael.