Allow digitalSignature key usage on signing certs #4352

azdagron · 2023-07-20T00:41:23Z

Turns out aws_pca sets digitalSignature on subordinate certificates.

The browser forum also has digitalSignature as a minimum requirement for CAs that sign OCSP responses.

Turns out `aws_pca` sets digitalSignature on subordinate certificates. The browser forum also has digitalSignature as a minimum requirement for CAs that sign OCSP responses. Fixes: spiffe#4351 Signed-off-by: Andrew Harding <azdagron@gmail.com>

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

Turns out `aws_pca` sets digitalSignature on subordinate certificates. The browser forum also has digitalSignature as a minimum requirement for CAs that sign OCSP responses. Fixes: spiffe#4351 Signed-off-by: Andrew Harding <azdagron@gmail.com> Co-authored-by: Evan Gilman <evan@spirl.com>

Turns out `aws_pca` sets digitalSignature on subordinate certificates. The browser forum also has digitalSignature as a minimum requirement for CAs that sign OCSP responses. Fixes: #4351 Signed-off-by: Andrew Harding <azdagron@gmail.com>

azdagron requested review from evan2645, amartinezfayo, MarcosDY and rturner3 as code owners July 20, 2023 00:41

evan2645 self-assigned this Jul 20, 2023

evan2645 approved these changes Jul 26, 2023

View reviewed changes

Merge branch 'main' into allow-digital-signature-on-signing-certs

5255f0b

evan2645 merged commit 3f553e3 into spiffe:main Jul 26, 2023
21 checks passed

evan2645 added this to the 1.7.1 milestone Jul 26, 2023

amartinezfayo added a commit to amartinezfayo/spire that referenced this pull request Jul 26, 2023

Add spiffe#4352 as part of the Changelog

bb94012

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

amartinezfayo mentioned this pull request Jul 27, 2023

Cherry-pick 4352 into v1.6.5 release #4365

Merged

amartinezfayo mentioned this pull request Jul 27, 2023

Cherry-pick 4352 into v1.7.1 release #4366

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow digitalSignature key usage on signing certs #4352

Allow digitalSignature key usage on signing certs #4352

azdagron commented Jul 20, 2023

Allow digitalSignature key usage on signing certs #4352

Allow digitalSignature key usage on signing certs #4352

Conversation

azdagron commented Jul 20, 2023