bc6d499 Add Subject Key Identifier to CA cert validity check

1 file Authored by ftweedal 6 years ago, Committed by mbasti 6 years ago,
    Add Subject Key Identifier to CA cert validity check
    
    CA certificates MUST have the Subject Key Identifier extension to
    facilitiate certification path construction.  Not having this
    extension on the IPA CA certificate will cause failures in Dogtag
    during signing; it tries to copy the CA's Subject Key Identifier to
    the new certificate's Authority Key Identifier extension, which
    fails.
    
    When installing an externally-signed CA, check that the Subject Key
    Identifier extension is present in the CA certificate.
    
    Fixes: https://pagure.io/freeipa/issue/6976
    Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
    
        
file modified
+6 -0