From: Dr. Stephen Henson <steve@openssl.org>
Date: Sat, 4 Apr 2009 18:09:43 +0000 (+0000)
Subject: Change default openssl.cnf to only use issuer+serial option in AKID if no
X-Git-Tag: OpenSSL_1_0_0-beta2~41
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=326794e9c67107a9f9b0c285b7d0b8ed83773f62;p=oweals%2Fopenssl.git

Change default openssl.cnf to only use issuer+serial option in AKID if no
SKID.
---

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 7bcaa53ede..9d2cd5bfa5 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -231,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 subjectKeyIdentifier=hash
 
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always,issuer
 
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
@@ -264,7 +264,7 @@ basicConstraints = CA:true
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
 # issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always
 
 [ proxy_cert_ext ]
 # These extensions should be added when creating a proxy certificate
@@ -297,7 +297,7 @@ nsComment			= "OpenSSL Generated Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.