Commit 29c8be70 authored by godog's avatar godog
Browse files

don't copy issuer to authorityKeyIdentifier

issuer contains the CA' serial number, thus making CA rollover trickier (you'd
need to issue a new cert with the same serial). Having only keyid allows for
easier CA rollover.
parent e6a32284
......@@ -3,7 +3,7 @@ nsCertType = %(usage)s
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
authorityKeyIdentifier = keyid:always
subjectAltName = @subject_alt_name
issuerAltName = issuer:copy
crlDistributionPoints = @cdp_section
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment