With Best Regards, Tim
On 09/05/2017 03:08 PM, Ian Jackson wrote:
> Christoph Berg writes ("Re: Help, I broke sso.debian.org for chrome"):
>> Re: Enrico Zini 2017-09-05 <[🔎] 20170905093701.xncmprl2x4so6hu4@enricozini.org>
>>> I refactored the certificate generation code for sso.debian.org, and the
>>> certificates it generates now still work in Firefox but not in Chrome.
>>
>> My guess is that the new-style certificates are missing some
>> attributes:
>>
>> Old certificate from 2015:
>>
>> X509v3 extensions:
>> X509v3 Basic Constraints: critical
>> CA:FALSE
>> X509v3 Key Usage: critical
>> Digital Signature, Key Encipherment, Key Agreement
>> X509v3 Extended Key Usage:
>> TLS Web Client Authentication
>
> This last one seems like it ought to be there. I don't know about the
> Key Usage.
>
> IIRC there are ways to get the openssl CLI to add specific extenstions
> but I don't know how to do that in the API Enrico is using in sso.
>
> FYI, Enrico, the openssl CLI tool can dump this kind of thing so you
> can compare before and after. I forget the exact runes I'm afraid.
Or GnuTLS's certtool:
certtool -i --infile tests/certs/x509-ca-cert.pem
Regards, Tim
Attachment:
signature.asc
Description: OpenPGP digital signature