[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls init def ctx failed: -1 with my cacert signed certs

To: Karsten Künne <kuenne@rentec.com>
Subject: Re: tls init def ctx failed: -1 with my cacert signed certs
From: Michael Ströder <michael@stroeder.com>
Date: Sat, 25 Jul 2009 13:23:28 +0200
Cc: openldap-software@openldap.org
In-reply-to: <200907241622.29703.kuenne@rentec.com>
References: <4A69B31A.80501@powercraft.nl> <878wieyrsz.fsf@rubin.avci.de> <4A6A00C8.6080907@powercraft.nl> <200907241622.29703.kuenne@rentec.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090606 SeaMonkey/1.1.17

Karsten Künne wrote:
> They might not support the AKI extension which is surprising 
> as this extension is rather trivial to add.

Well, they should add it to be compliant with PKIX cert profile.

RFC 5280, section 4.2.1.1.:

   The keyIdentifier field of the authorityKeyIdentifier extension MUST
   be included in all certificates generated by conforming CAs to
   facilitate certification path construction.  There is one exception;
   where a CA distributes its public key in the form of a "self-signed"
   certificate, the authority key identifier MAY be omitted.

Ciao, Michael.

References:
- tls init def ctx failed: -1 with my cacert signed certs
  - From: Jelle de Jong <jelledejong@powercraft.nl>
- Re: tls init def ctx failed: -1 with my cacert signed certs
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: tls init def ctx failed: -1 with my cacert signed certs
  - From: Jelle de Jong <jelledejong@powercraft.nl>
- Re: tls init def ctx failed: -1 with my cacert signed certs
  - From: Karsten Künne <kuenne@rentec.com>

Prev by Date: Re: tls init def ctx failed: -1 with my cacert signed certs
Next by Date: Online config, delta syncrepl and overlay chain
Index(es):
- Chronological
- Thread