Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: AuthorityKeyId on self-signed certificates #15194

vanbroup opened this issue Apr 8, 2016 · 2 comments

crypto/x509: AuthorityKeyId on self-signed certificates #15194

vanbroup opened this issue Apr 8, 2016 · 2 comments


Copy link

@vanbroup vanbroup commented Apr 8, 2016

The crypto/x509 package is setting the AuthorityKeyId by default for all certificates including CA certificates. While this is not wrong according to RFC5280 section, it states that setting the authorityKeyIdentifier is optional for self-signed certificates.

The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate certification path construction. There is one exception;
where a CA distributes its public key in the form of a "self-signed"
certificate, the authority key identifier MAY be omitted.
signature on a self-signed certificate is generated with the private
key associated with the certificate's subject public key. (This
proves that the issuer possesses both the public and private keys.)
In this case, the subject and authority key identifiers would be
identical, but only the subject key identifier is needed for
certification path building.

I would like to remove the AuthorityKeyId from self-signed certificates to save about 20+ bytes in these certificates which is useful in constraint environments.

To adopt this change a small change to the following condition is required:

I'm happy to submit this change if agreed that this is an improvement to Go.

Copy link

@bradfitz bradfitz commented Apr 9, 2016

Feel free to send a change. @agl can review.

@bradfitz bradfitz added this to the Unplanned milestone Apr 9, 2016
@agl agl self-assigned this Apr 12, 2016
Copy link

@gopherbot gopherbot commented Apr 12, 2016

CL mentions this issue.

@gopherbot gopherbot closed this in b623b71 Apr 14, 2016
@golang golang locked and limited conversation to collaborators Apr 15, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.