don't copy issuer to authorityKeyIdentifier

issuer contains the CA' serial number, thus making CA rollover trickier (you'd need to issue a new cert with the same serial). Having only keyid allows for easier CA rollover.

don't copy issuer to authorityKeyIdentifier
issuer contains the CA' serial number, thus making CA rollover trickier (you'd need to issue a new cert with the same serial). Having only keyid allows for easier CA rollover.
29c8be70 · godog · e6a32284 · 29c8be70
Commit 29c8be70 authored Apr 29, 2015 by godog
--- a/cam/templates/ext_config
+++ b/cam/templates/ext_config
@@ -3,7 +3,7 @@ nsCertType              = %(usage)s
 keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage        = clientAuth, serverAuth
 subjectKeyIdentifier    = hash
-authorityKeyIdentifier  = keyid, issuer:always
+authorityKeyIdentifier  = keyid:always
 subjectAltName          = @subject_alt_name
 issuerAltName           = issuer:copy
 crlDistributionPoints   = @cdp_section