[release/10.0] Add Subject Key Identifier and Authority Key Identifier extensions to the generated dev cert #64268
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… the generated dev cert
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
DamianEdwards
added
the
Servicing-consider
Contributor
|
Hi @@github-actions[bot]. Please make sure you've updated the PR description to use the Shiproom Template. Also, make sure this PR is not marked as a draft and is ready-to-merge. To learn more about how to prepare a servicing PR click here. |
DamianEdwards
approved these changes
Nov 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #64263 to release/10.0
/cc @danegsta
Add Subject Key Identifier and Authority Key Identifier extensions to the generated dev cert
Add Subject Key Identifier and Authority Key Identifier extensions to the dev cert
Description
Adds the Subject Key Identifier (SKID) and Authority Key Identifier (AKID) extensions to the dev cert to resolve issues with OpenSSL. Additionally increases the certificate version from 4 to 5 to ensure the certificate will be refreshed after a user updates.
OpenSSL uses the SKID and AKID extensions to identify the correct trust chain for a private key (even for a single trusted root certificate like the dev cert). If multiple certificates have the same SKID (or don't have an SKID value) and share the same subject, then the incorrect public certificate may be selected to verify the key, resulting in OpenSSL verification failures.
Fixes #64261
Customer Impact
Having a certificate without the subject key identifier (and authority key identifier) can result in OpenSSL selecting the wrong version of the dev cert to verify a connection.
Regression?
[If yes, specify the version the behavior has regressed from]
Risk
These are standard certificate extensions and added by default by OpenSSL when creating a self-signed certificate. The implementations used match RFC guidelines.
Verification
Packaging changes reviewed?
When servicing release/2.3