Project

General

Profile

Actions

Bug #51

closed

Signing CSRs with requested extensions produces certificates with duplicate extension entries.

Added by Felix Tiede almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Start date:
11/15/2013
Due date:
11/22/2013
% Done:

100%

Estimated time:
8:00 h
Spent time:

Description

CSRs may contain requested extensions which may or may not be included into the certificate on the signing CAs discretion. Currently if those requested extensions are included into the certificate the CA's extensions (which are also added but with different values) might generate duplicate extension entries.

For example if a CSR contains a requested extension "X509v3 Basic Constraints" with a value "CA:FALSE", upon signing a duplicate extension entry with the exact same name and value is included into the certificate.

Signing a request with a requested extension should either include the requested extension and ignore the CA's default extension with the same name or overwrite the requested extension with the CA's extension.

Actions

Also available in: Atom PDF