cfssl icon indicating copy to clipboard operation
cfssl copied to clipboard
verified publisher icon cloudflare

signed certs have empty AKI?

Open ShinyZero0 opened this issue 1 year ago • 0 comments

i run the following sequence of commands to generate a self-signed root ca, and sign a server cert with it

cfssl genkey -initca csr.json | cfssljson -bare root
cfssl genkey csr.json | cfssljson -bare server
cfssl sign -ca root.pem -ca-key root-key.pem server.csr | cfssljson -bare server

csr.json contents:

{
  "hosts": ["localhost", "127.0.0.1"],
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "CN": "localhost",
  "names": []
}

i see no errors in the process

then i run

cfssl certinfo -cert server.pem

and see the following line

"authority_key_id": ""

i have an app with gRPC using TLS that fails (most likely because of the issue) with the following error

transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority

my cfssl

cfssl version

outputs

Version: 1.6.5
Runtime: go1.23.0

i see in README that AKI is not set for self-signed certs which is perfectly reasonable, but server here is not self-signed.

ShinyZero0 avatar Nov 15 '24 12:11 ShinyZero0