Replies: 4 comments 3 replies
-
Then look closer and think harder because that's not it ;-) The field is definitely optional for self-signed root certificates. RFC 5280, section 4.2.1.1 says this:
|
Beta Was this translation helpful? Give feedback.
-
I'm using Strongswan 6.0, which by default uses Everything worked using a new chain when generated with:
Including Root CA certs that are now recognized correctly. |
Beta Was this translation helpful? Give feedback.
-
Windows was failing because of another bit in the cert. When I generated the end entity cert for a user I used
These were all listed under EKU when looking at the cert properties on Windows. Windows does allow selecting which EKU to use/ignore, they have a checkbox next to each one. After dropping the |
Beta Was this translation helpful? Give feedback.
-
And Apple will not be fixing the pss issue anytime soon. Hiring an engineer to fix that will cut into their already super thin profit margins. They however are happy to hire 5 engineers to convince/fool you that "it just works" 😁 |
Beta Was this translation helpful? Give feedback.
-
I used strongswan's pki to generate cert chain including a self-signed root CA. When using the chain between strongswan's server/client it works fine. Recent MacOS/Windows clients are refusing to work, and MacOS thinks that my root CA is an intermediate CA. The only thing can think of is that the CA is missing the optional "authkeyId" fields compared to other root CA's I have, including self signed CAs. The
authkeyId
field is just a copy of thesubjkeyId
in those cases.Beta Was this translation helpful? Give feedback.
All reactions