[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls init def ctx failed: -1 with my cacert signed certs

Karsten Künne wrote:
> They might not support the AKI extension which is surprising 
> as this extension is rather trivial to add.

Well, they should add it to be compliant with PKIX cert profile.

RFC 5280, section

   The keyIdentifier field of the authorityKeyIdentifier extension MUST
   be included in all certificates generated by conforming CAs to
   facilitate certification path construction.  There is one exception;
   where a CA distributes its public key in the form of a "self-signed"
   certificate, the authority key identifier MAY be omitted.

Ciao, Michael.