-
Bug
-
Resolution: Fixed
-
P3
-
8u251
-
b11
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8266549 | 11.0.13-oracle | Sean Coffey | P3 | Resolved | Fixed | b01 |
| JDK-8271847 | 11.0.13 | Martin Doerr | P3 | Resolved | Fixed | b02 |
| JDK-8278054 | 8u331 | Sean Coffey | P3 | Resolved | Fixed | b01 |
When using keytool to generate a certificate and have it signed with an
existing CA, keytool creates the Authority Key Identifier extension based on
the CA's public key.
Section "4.2.1.1. Authority Key Identifier" of RFC5280 states the following:
"Where a key identifier has been previously established, the CA SHOULD use
the previously established identifier."
So if the CA certificate was not generated by keytool(in our case, RSA
Cert-J), its Subject Key Identifier might have been generated slightly
differently, i.e., not just the public key but with some other pieces of
data. The end result is that when the new certificate is used in TLS
communication, the client may throw a certpath validation error(although the
CA is indeed in the trust store)
existing CA, keytool creates the Authority Key Identifier extension based on
the CA's public key.
Section "4.2.1.1. Authority Key Identifier" of RFC5280 states the following:
"Where a key identifier has been previously established, the CA SHOULD use
the previously established identifier."
So if the CA certificate was not generated by keytool(in our case, RSA
Cert-J), its Subject Key Identifier might have been generated slightly
differently, i.e., not just the public key but with some other pieces of
data. The end result is that when the new certificate is used in TLS
communication, the client may throw a certpath validation error(although the
CA is indeed in the trust store)
- backported by
-
JDK-8266549 Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- links to
-
Commit
openjdk/jdk11u-dev/0c783b06
-
Commit
openjdk/jdk/05301f5f
-
Review
openjdk/jdk11u-dev/167
-
Review
openjdk/jdk/2343
(2 links to)