Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify KU, EKU, and SKID fields of issued certs #472

Merged
merged 2 commits into from
Aug 21, 2024
Merged

Conversation

aarongable
Copy link
Contributor

To reflect current WebPKI best practices:

  • Do not include the KeyEncipherment KU in end-entity certs (it is not used in TLS 1.2+)
  • Do not include the TLS Client Auth EKU in any certs (root programs are moving towards single-purpose hierarchies)
  • Do not include the Subject Key ID in end-entity certs (it is not useful for chain-building there)

ca/ca.go Outdated Show resolved Hide resolved
@aarongable aarongable merged commit ac77969 into main Aug 21, 2024
14 checks passed
@aarongable aarongable deleted the simplify-kus branch August 21, 2024 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants