missing keyCertSign extension on intermediate ca
krmxd opened this issue · 1 comments
krmxd commented
https://www.rfc-editor.org/rfc/rfc5280#section-4.2
The keyCertSign bit is asserted when the subject public key is
used for verifying signatures on public key certificates. If the
keyCertSign bit is asserted, then the cA bit in the basic
constraints extension (Section 4.2.1.9) MUST also be asserted.
The cRLSign bit is asserted when the subject public key is used
for verifying signatures on certificate revocation lists (e.g.,
CRLs, delta CRLs, or ARLs).
When creating a full chain the intermediate ca seems to missing key extensions for verifying signatures.
The issue_csr method isn't adding the needed extensions (at least that's my (current) finding).
csr_builder = csr_builder.add_extension( x509.KeyUsage(key_cert_sign=True, crl_sign=True, digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False, ), critical=False )
kairoaraujo commented
Thanks @krmxd, for reporting this issue.