Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signed certs have empty AKI? #1403

Open
ShinyZero0 opened this issue Nov 15, 2024 · 0 comments
Open

signed certs have empty AKI? #1403

ShinyZero0 opened this issue Nov 15, 2024 · 0 comments

Comments

@ShinyZero0
Copy link

ShinyZero0 commented Nov 15, 2024
edited
Loading

i run the following sequence of commands to generate a self-signed root ca, and sign a server cert with it

cfssl genkey -initca csr.json | cfssljson -bare root
cfssl genkey csr.json | cfssljson -bare server
cfssl sign -ca root.pem -ca-key root-key.pem server.csr | cfssljson -bare server

csr.json contents:

{
  "hosts": ["localhost", "127.0.0.1"],
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "CN": "localhost",
  "names": []
}

i see no errors in the process

then i run

cfssl certinfo -cert server.pem

and see the following line

"authority_key_id": ""

i have an app with gRPC using TLS that fails (most likely because of the issue) with the following error

transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority

my cfssl

cfssl version

outputs

Version: 1.6.5
Runtime: go1.23.0

i see in README that AKI is not set for self-signed certs which is perfectly reasonable, but server here is not self-signed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ShinyZero0