Remove x509 name constraints
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
This commit is contained in:
parent
8b27c3268a
commit
b3ba709b3d
|
@ -352,9 +352,7 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error
|
|||
SerialNumber: serialNum,
|
||||
Subject: pkix.Name{CommonName: name},
|
||||
URIs: []*url.URL{id.URI()},
|
||||
PermittedDNSDomainsCritical: true,
|
||||
PermittedDNSDomains: []string{id.URI().Hostname()},
|
||||
BasicConstraintsValid: true,
|
||||
BasicConstraintsValid: true,
|
||||
KeyUsage: x509.KeyUsageCertSign |
|
||||
x509.KeyUsageCRLSign |
|
||||
x509.KeyUsageDigitalSignature,
|
||||
|
|
|
@ -56,9 +56,7 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
|
|||
SerialNumber: sn,
|
||||
Subject: pkix.Name{CommonName: result.Name},
|
||||
URIs: []*url.URL{id.URI()},
|
||||
PermittedDNSDomainsCritical: true,
|
||||
PermittedDNSDomains: []string{id.URI().Hostname()},
|
||||
BasicConstraintsValid: true,
|
||||
BasicConstraintsValid: true,
|
||||
KeyUsage: x509.KeyUsageCertSign |
|
||||
x509.KeyUsageCRLSign |
|
||||
x509.KeyUsageDigitalSignature,
|
||||
|
|
Loading…
Reference in New Issue