missing keyCertSign extension on intermediate ca #56

krmxd · 2021-12-26T17:20:47Z

https://www.rfc-editor.org/rfc/rfc5280#section-4.2

  The keyCertSign bit is asserted when the subject public key is
  used for verifying signatures on public key certificates.  If the
  keyCertSign bit is asserted, then the cA bit in the basic
  constraints extension (Section 4.2.1.9) MUST also be asserted.

  The cRLSign bit is asserted when the subject public key is used
  for verifying signatures on certificate revocation lists (e.g.,
  CRLs, delta CRLs, or ARLs).

When creating a full chain the intermediate ca seems to missing key extensions for verifying signatures.

The issue_csr method isn't adding the needed extensions (at least that's my (current) finding).

csr_builder = csr_builder.add_extension( x509.KeyUsage(key_cert_sign=True, crl_sign=True, digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False, ), critical=False )

The text was updated successfully, but these errors were encountered:

kairoaraujo · 2021-12-27T12:51:46Z

Thanks @krmxd, for reporting this issue.

kairoaraujo added bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed labels Dec 27, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

missing keyCertSign extension on intermediate ca #56

missing keyCertSign extension on intermediate ca #56

krmxd commented Dec 26, 2021

kairoaraujo commented Dec 27, 2021

missing keyCertSign extension on intermediate ca #56

missing keyCertSign extension on intermediate ca #56

Comments

krmxd commented Dec 26, 2021

kairoaraujo commented Dec 27, 2021