OpenVPN · zhangyoufu · Mar 25, 2022
diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf
@@ -113,15 +113,14 @@ serialNumber_default	= $ENV::EASYRSA_REQ_SERIAL
 [ basic_exts ]
 basicConstraints	= CA:FALSE
 subjectKeyIdentifier	= hash
-authorityKeyIdentifier	= keyid,issuer:always
+authorityKeyIdentifier	= keyid:always
 
 # The Easy-RSA CA extensions
 [ easyrsa_ca ]
 
 # PKIX recommendations:
 
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
 
 # This could be marked critical, but it's nice to support reading by any
 # broken clients who attempt to do so.
@@ -143,4 +142,4 @@ keyUsage = cRLSign, keyCertSign
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
 # issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always
diff --git a/easyrsa3/x509-types/ca b/easyrsa3/x509-types/ca
@@ -8,5 +8,5 @@
 
 basicConstraints = CA:TRUE
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
+authorityKeyIdentifier = keyid:always
 keyUsage = cRLSign, keyCertSign
diff --git a/easyrsa3/x509-types/client b/easyrsa3/x509-types/client
@@ -2,6 +2,6 @@
 
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
+authorityKeyIdentifier = keyid:always
 extendedKeyUsage = clientAuth
 keyUsage = digitalSignature
diff --git a/easyrsa3/x509-types/code-signing b/easyrsa3/x509-types/code-signing
@@ -2,6 +2,6 @@
 
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
+authorityKeyIdentifier = keyid:always
 extendedKeyUsage = codeSigning
 keyUsage = digitalSignature
diff --git a/easyrsa3/x509-types/email b/easyrsa3/x509-types/email
@@ -2,6 +2,6 @@
 
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
+authorityKeyIdentifier = keyid:always
 extendedKeyUsage = emailProtection
 keyUsage = digitalSignature,keyEncipherment,nonRepudiation
diff --git a/easyrsa3/x509-types/kdc b/easyrsa3/x509-types/kdc
@@ -2,7 +2,7 @@
 
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
+authorityKeyIdentifier = keyid:always
 extendedKeyUsage = 1.3.6.1.5.2.3.5
 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
 issuerAltName = issuer:copy

diff --git a/easyrsa3/x509-types/server b/easyrsa3/x509-types/server
@@ -2,6 +2,6 @@
 
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
+authorityKeyIdentifier = keyid:always
 extendedKeyUsage = serverAuth
 keyUsage = digitalSignature,keyEncipherment
diff --git a/easyrsa3/x509-types/serverClient b/easyrsa3/x509-types/serverClient
@@ -2,6 +2,6 @@
 
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
+authorityKeyIdentifier = keyid:always
 extendedKeyUsage = serverAuth,clientAuth
 keyUsage = digitalSignature,keyEncipherment