Skip to content

signed certs have empty AKI? #1403

New issue
New issue
Open
Open
signed certs have empty AKI?#1403
@ShinyZero0

Description

@ShinyZero0
ShinyZero0
opened on Nov 15, 2024

i run the following sequence of commands to generate a self-signed root ca, and sign a server cert with it

cfssl genkey -initca csr.json | cfssljson -bare root
cfssl genkey csr.json | cfssljson -bare server
cfssl sign -ca root.pem -ca-key root-key.pem server.csr | cfssljson -bare server

csr.json contents:

{
  "hosts": ["localhost", "127.0.0.1"],
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "CN": "localhost",
  "names": []
}

i see no errors in the process

then i run

cfssl certinfo -cert server.pem

and see the following line

"authority_key_id": ""

i have an app with gRPC using TLS that fails (most likely because of the issue) with the following error

transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority

my cfssl

cfssl version

outputs

Version: 1.6.5
Runtime: go1.23.0

i see in README that AKI is not set for self-signed certs which is perfectly reasonable, but server here is not self-signed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions