Skip to content

Simplify KU, EKU, and SKID fields of issued certs#472

Merged
aarongable merged 2 commits into
mainfrom
simplify-kus
Aug 21, 2024
Merged

Simplify KU, EKU, and SKID fields of issued certs#472
aarongable merged 2 commits into
mainfrom
simplify-kus

Conversation

@aarongable

@aarongable aarongable commented Aug 20, 2024

Copy link
Copy Markdown
Contributor

To reflect current WebPKI best practices:

  • Do not include the KeyEncipherment KU in end-entity certs (it is not used in TLS 1.2+)
  • Do not include the TLS Client Auth EKU in any certs (root programs are moving towards single-purpose hierarchies)
  • Do not include the Subject Key ID in end-entity certs (it is not useful for chain-building there)

mcpherrinm
mcpherrinm reviewed Aug 21, 2024
View reviewed changes
Comment thread ca/ca.go Outdated
@aarongable aarongable requested a review from mcpherrinm August 21, 2024 17:01
@aarongable aarongable merged commit ac77969 into main Aug 21, 2024
@aarongable aarongable deleted the simplify-kus branch August 21, 2024 20:36
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request May 30, 2025
@wallrj-cyberark
The ACME test server "Pebble" will only add server auth extended key …
01a2768 
…usages by default

so we need to add them to the list of expected usages.
- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request May 30, 2025
@wallrj-cyberark
The ACME test server "Pebble" only supports the the Digital Signature KU
62f4c81 
It drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request May 30, 2025
@wallrj-cyberark
Pebble drops the CN and drops KUs other than "Digital Signature"
0c50492 
It drops the CN:
- letsencrypt/pebble#420

And it drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
@wallrj wallrj mentioned this pull request Jun 1, 2025
Merged
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request Jun 1, 2025
@wallrj-cyberark
The ACME test server "Pebble" will only add server auth extended key …
441fbd0 
…usages by default

so we need to add them to the list of expected usages.
- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 01a2768)
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request Jun 1, 2025
@wallrj-cyberark
The ACME test server "Pebble" only supports the the Digital Signature KU
286c185 
It drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 62f4c81)
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request Jun 1, 2025
@wallrj-cyberark
Pebble drops the CN and drops KUs other than "Digital Signature"
c836ead 
It drops the CN:
- letsencrypt/pebble#420

And it drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 0c50492)
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request Jun 1, 2025
@wallrj-cyberark
The ACME test server "Pebble" will only add server auth extended key …
867d21d 
…usages by default

so we need to add them to the list of expected usages.
- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 01a2768)
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request Jun 1, 2025
@wallrj-cyberark
The ACME test server "Pebble" only supports the the Digital Signature KU
098d19b 
It drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 62f4c81)
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request Jun 1, 2025
@wallrj-cyberark
Pebble drops the CN and drops KUs other than "Digital Signature"
12356d5 
It drops the CN:
- letsencrypt/pebble#420

And it drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 0c50492)
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request Jun 1, 2025
@wallrj-cyberark
The ACME test server "Pebble" will only add server auth extended key …
3aed935 
…usages by default

so we need to add them to the list of expected usages.
- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 01a2768)
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request Jun 1, 2025
@wallrj-cyberark
The ACME test server "Pebble" only supports the the Digital Signature KU
c7feb6d 
It drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 62f4c81)
wallrj pushed a commit to wallrj/cert-manager that referenced this pull request Jun 1, 2025
@wallrj-cyberark
Pebble drops the CN and drops KUs other than "Digital Signature"
13794f3 
It drops the CN:
- letsencrypt/pebble#420

And it drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 0c50492)
kwatson added a commit to kwatson/letsencrypt-pebble that referenced this pull request Jun 9, 2025
@kwatson
Merge branch 'main' of https://github.com/letsencrypt/pebble
a44c67c 
* 'main' of https://github.com/letsencrypt/pebble: (35 commits)
  add overriding of ARI response (letsencrypt#501)
  wfe: fix a race in `orderForDisplay` (letsencrypt#500)
  Bump golang.org/x/ dependencies (letsencrypt#499)
  currectly triggers BadSignatureAlgorithmProblem at JWS parse time (letsencrypt#492)
  use newer validation subdomain for dns-account-01 (fix CI eggsampler/acme error) (letsencrypt#498)
  Orders don't have a "deactivated" status. (letsencrypt#301)
  Update golangci-lint (letsencrypt#488)
  build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (letsencrypt#487)
  Truncate ARI timestamps to millisecond resolution (letsencrypt#485)
  return logical and compliant ARI windows for expiring certs (letsencrypt#484)
  Update dependencies (letsencrypt#481)
  docs: rm mention of subproblems being unimpl'd (letsencrypt#479)
  Fix(NOISSUE): Fix docker compose file example in README.md (letsencrypt#475)
  Add support for ACME Profiles (letsencrypt#473)
  Simplify KU, EKU, and SKID fields of issued certs (letsencrypt#472)
  Update golangci-lint to 1.60.2 (letsencrypt#474)
  Update /x/net for compatibility with go1.23 (letsencrypt#470)
  Reject extra command line args and fix README invocation (letsencrypt#467)
  Document exposing API and management ports when not using docker-compose.yaml (letsencrypt#465)
  Implement latest draft-ietf-acme-ari spec (letsencrypt#461)
  ...
hjoshi123 pushed a commit to hjoshi123/cert-manager that referenced this pull request Jul 6, 2025
@wallrj-cyberark @hjoshi123
The ACME test server "Pebble" will only add server auth extended key …
573a8be 
…usages by default

so we need to add them to the list of expected usages.
- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 01a2768)
hjoshi123 pushed a commit to hjoshi123/cert-manager that referenced this pull request Jul 6, 2025
@wallrj-cyberark @hjoshi123
The ACME test server "Pebble" only supports the the Digital Signature KU
88b96a3 
It drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 62f4c81)
hjoshi123 pushed a commit to hjoshi123/cert-manager that referenced this pull request Jul 6, 2025
@wallrj-cyberark @hjoshi123
Pebble drops the CN and drops KUs other than "Digital Signature"
f00fa48 
It drops the CN:
- letsencrypt/pebble#420

And it drops any other KUs that are in the CSR.
Make sure that Digital Signature is the only KU we request so that the
CSR and the signed certificate match during the verification at the end of the test.

- letsencrypt/pebble#472
- https://github.com/letsencrypt/pebble/releases/tag/v2.7.0

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
(cherry picked from commit 0c50492)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcpherrinm mcpherrinm mcpherrinm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aarongable @mcpherrinm