Skip to content

Cockroach-generated CA certs don't include required SubjectKeyID extension #43706

Open
Open
Cockroach-generated CA certs don't include required SubjectKeyID extension#43706
Labels
A-securityO-communityOriginated from the community
@lily-commure

Description

@lily-commure
lily-commure
opened on Jan 3, 2020

Describe the problem

cockroach cert create-ca doesn't add a SubjectKeyID to the resulting cert, because of golang/go#26676. This is required by RFC 5280 for CA certs.

To Reproduce

$ cockroach cert create-ca --certs-dir . --ca-key key
$ openssl x509 -noout -text -in ca.crt

You can see that the resulting CA cert is missing the SubjectKeyID extension.

Expected behavior

I expected the CA cert to have the SubjectKeyID present.

Environment:

  • CockroachDB version: 19.1.2

Additional context
What was the impact?

Not putting SKID on the CA certs makes it difficult to migrate smoothly from one cockroachdb-generated CA cert to another, because both certs have the same name (O=Cockroach, CN=Cockroach CA). So it's not possible (with certain common implementations of SSL chain building, e.g. openssl's) to have both CA certs available to validate node certificates, since only one of them will be selected. Having the SKID on the certs would allow using the AKID of the node certificates to disambiguate here, making this sort of migration easier. It's possible to work around this by generating the CA certs yourself, making sure they either include SKID or use different names.

Jira issue: CRDB-5272

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-securityO-communityOriginated from the community

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions