-
-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AKI to child CA certificates #642
Conversation
Thanks Illia! Is there a downside to enable it unconditionally? |
I believe root CA certificates are not supposed to have any AKI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! LGTM.
Hey @illia-v, it looks like that was the first time we merged one of your PRs! Thanks so much! 🎉 🎂 If you want to keep contributing, we'd love to have you. So, I just sent you an invitation to join the python-trio organization on Github! If you accept, then here's what will happen:
If you want to read more, here's the relevant section in our contributing guide. Alternatively, you're free to decline or ignore the invitation. You'll still be able to contribute as much or as little as you like, and I won't hassle you about joining again. But if you ever change your mind, just let us know and we'll send another invitation. We'd love to have you, but more importantly we want you to do whatever's best for you. If you have any questions, well... I am just a humble Python script, so I probably can't help. But please do post a comment here, or in our chat, or on our forum, whatever's easiest, and someone will help you out! |
(Author of the CPython patch that tripped this; thanks @sethmlarson for bringing this to my attention!) Yes, adding the AKI extension to intermediate CA certificates is the appropriate approach here, since it'll bring the certs here into closer alignment with RFC 5280 (which is what
FWIW, this is RFC 5280's exact language on AKIs in self-signed (i.e. "root") certificates:
In other words: all certs can have an AKI, but it's optional for roots. As such, there's no error in generating root CA certs with an AKI extension; it just has no effect 🙂 Ref: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 |
In urllib3's tests urllib3/urllib3#3366 (comment), I discovered that child CA certificates generated by trustme do not pass verification with
ssl.VERIFY_X509_STRICT
enabled by default in CPython 3.13.0a5 python/cpython#112389.$ openssl verify -x509_strict -CAfile cacert.pem -untrusted client_intermediate.pem client_intermediate.pem O = trustme v1.1.0, OU = Testing CA #0hrzBwpZFQa95Z4M error 85 at 1 depth lookup: Missing Authority Key Identifier error client_intermediate.pem: verification failed
Adding the AKI extension to child CA certificates seems to fix the verification error.