Change default openssl.cnf to only use issuer+serial option in AKID if no

author Dr. Stephen Henson <steve@openssl.org>

Sat, 4 Apr 2009 18:09:43 +0000 (18:09 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Sat, 4 Apr 2009 18:09:43 +0000 (18:09 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sat, 4 Apr 2009 18:09:43 +0000 (18:09 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Sat, 4 Apr 2009 18:09:43 +0000 (18:09 +0000)
diff --git a/apps/openssl.cnf b/apps/openssl.cnf

index 7bcaa53ede5faa99fe77d2a0e737ce4ac51616a4..9d2cd5bfa52f3121b08b494a0ea4bbfbba32ea31 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -231,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  
  subjectKeyIdentifier=hash
  
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always,issuer
  
  # This is what PKIX recommends but some broken software chokes on critical
  # extensions.
@@ -264,7 +264,7 @@ basicConstraints = CA:true
  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  
  # issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always
  
  [ proxy_cert_ext ]
  # These extensions should be added when creating a proxy certificate
@@ -297,7 +297,7 @@ nsComment                   = "OpenSSL Generated Certificate"
  
  # PKIX recommendations harmless if included in all certificates.
  subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier=keyid,issuer
  
  # This stuff is for subjectAltName and issuerAltname.
  # Import the email address.
author	Dr. Stephen Henson <steve@openssl.org>
	Sat, 4 Apr 2009 18:09:43 +0000 (18:09 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sat, 4 Apr 2009 18:09:43 +0000 (18:09 +0000)