Remove issuer from authorityKeyIdentifier in X.509 extensions

[IPv4v6]

Current:

$ more easyrsa3/x509-types/server
# X509 extensions for a server

basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth
keyUsage = digitalSignature,keyEncipherment

The authorityKeyIdentifier should only contain the keyid. The keyid is sufficient and it is common practice in public certificates.

See the Mozilla certificate policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices

CAs MUST NOT issue certificates that have ...
incorrect extensions (e.g., SSL certificates that exclude SSL usage, or authority key IDs that include both the key ID and the issuer’s issuer name and serial number)

In case you want to renew your CA certificate, it has some advantages:
https://v13.gr/2013/04/11/x509v3-authority-key-identifier-authoritykeyidentifier/

[TinCanTech]

Have you tested this yet ?

[bronger]

Can it be that my current OpenVPN error (via NetwortManager) is due to this issue:

VERIFY ERROR: depth=1, error=authority and subject key identifier mismatch: CN=vpn.bronger.org, serial=257…
OpenSSL: error:0A000086:SSL routines::certificate verify failed

[TinCanTech]

@bronger Certificates are public keys, so you could show us yours.

[bronger]

I posted it here: https://pastebin.com/WgJJ4EKX

[TinCanTech]

Can I also see your CA public certificate. A temporary paste service is fine.

[bronger]

It’s here: https://pastebin.com/5CGJw4xx

[TinCanTech]

@bronger Thank you for your cooperation.

The error message is correct: authority and subject key identifier mismatch

Because you are using NetwortManager, all I can suggest is that you ask there.
My guess would be that you have incorrectly selected your CA certificate.

[bronger]

So that I understand you correctly: My problem highly probably will not be solved by merging the pull request connected with this issue, but is to the fact that the server certificate does not match the client certificate?

My understand was that one certificate (or both) were rejected by OpenSSL because there are internal inconsistencies in the certificate. However, I admit that I don’t fully understand the error message (and its explanations in the man pages, for that matter).

[TinCanTech]

@bronger This PR will definitely not solve your problem.

If you used EasyRSA to create your PKI then please start your own issue here.

Otherwise, please take up your issue with who/what is the creator of your PKI.

[bronger]

My PKI is created with the quite popular https://github.com/kylemanna/docker-openvpn which in turn uses easy-rsa for creating the certs.

I will make further investigations and possibly open an issue.

Thank you for your information!