Commit 29c8be70 authored by godog's avatar godog

don't copy issuer to authorityKeyIdentifier

issuer contains the CA' serial number, thus making CA rollover trickier (you'd
need to issue a new cert with the same serial). Having only keyid allows for
easier CA rollover.
parent e6a32284
...@@ -3,7 +3,7 @@ nsCertType = %(usage)s ...@@ -3,7 +3,7 @@ nsCertType = %(usage)s
keyUsage = nonRepudiation, digitalSignature, keyEncipherment keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth extendedKeyUsage = clientAuth, serverAuth
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always authorityKeyIdentifier = keyid:always
subjectAltName = @subject_alt_name subjectAltName = @subject_alt_name
issuerAltName = issuer:copy issuerAltName = issuer:copy
crlDistributionPoints = @cdp_section crlDistributionPoints = @cdp_section
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment