[Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
Fraser Tweedale
ftweedal at redhat.com
Thu Oct 30 06:09:43 UTC 2014
This patch enables the Authority Key Identifier CRL Extension, which
is REQUIRED by RFC 5280, by default.
Should existing instances be left alone or should I also look at an
upgrade script that offers to upgrade CS.cfg to be conformant?
Fraser
-------------- next part --------------
>From eeff7b51c948086ac86d8da9d55cd3c36dfffc81 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 30 Oct 2014 01:58:15 -0400
Subject: [PATCH] Enable Authority Key Identifier CRL extension by default
RFC 5280 states:
Conforming CRL issuers are REQUIRED to include the authority key
identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
extensions in all CRLs issued.
Accordingly, update CS.cfg so that the Authority Key Identifier
extension is enabled by default.
Fixes https://fedorahosted.org/pki/ticket/1189
---
base/ca/shared/conf/CS.cfg.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 4ab8974e6340d81d23bb7f5ea05a07b0936b6463..f5469408b5a2da26321871d64e76da8e07344aeb 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -604,7 +604,7 @@ ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions
ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension
ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension
ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false
-ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false
+ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=true
ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension
ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension
ca.crl.MasterCRL.extension.CRLNumber.critical=false
--
1.9.3
More information about the Pki-devel
mailing list