Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8257497

Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280

    XMLWordPrintable

Details

    Backports

      Description

        When using keytool to generate a certificate and have it signed with an
        existing CA, keytool creates the Authority Key Identifier extension based on
        the CA's public key.

        Section "4.2.1.1. Authority Key Identifier" of RFC5280 states the following:
        "Where a key identifier has been previously established, the CA SHOULD use
        the previously established identifier."

        So if the CA certificate was not generated by keytool(in our case, RSA
        Cert-J), its Subject Key Identifier might have been generated slightly
        differently, i.e., not just the public key but with some other pieces of
        data. The end result is that when the new certificate is used in TLS
        communication, the client may throw a certpath validation error(although the
        CA is indeed in the trust store)

        Attachments

          Issue Links

            Activity

              People

                hchao Haimay Chao
                shadowbug Shadow Bug
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: