View Issue Details

IDProjectCategoryView StatusLast Update
0001087bugs.cacert.orgpublic2012-07-27 22:52
ReporterDavidMcIlwraith Assigned To 
Status closedResolutionopen 
PlatformDefaultOSanyOS Versionany
Summary0001087: CAcert, Inc.'s root certificates' keyUsage field missing
DescriptionAs with _all_ other CA certificates included in TLS clients, keyUsage field in the CA certificates should be:

            X509v3 Key Usage:
                Certificate Sign, CRL Sign

Instead, it entirely lacks a keyUsage field. This may be related to the bug report with user certificates; whilst not critical (as basicConstraints is set to critical,CA:TRUE), it means that the root (class I) and subsidiary root (class III) certs are trusted for purposes other than acting as a CA.
Steps To Reproduceopenssl x509 -in root.crt -text -noout
Additional Informationn/a
TagsNo tags attached.


related to 0000540 needs feedbackNEOatNHNG Main CAcert Website No key usage attribute in cacert org certs anymore? 



2012-07-25 04:59

reporter   ~0003113

Last edited: 2012-07-25 05:00

I should add that whilst some root certificates issued prior to 2000 also lack this constraint, it is PKIX-recommended practice. (May wish to be added to the new roots that are a WIP?)

Issue History

Date Modified Username Field Change
2012-07-25 04:33 DavidMcIlwraith New Issue
2012-07-25 04:37 DavidMcIlwraith Severity major => feature
2012-07-25 04:37 DavidMcIlwraith Status new => needs work
2012-07-25 04:37 DavidMcIlwraith Steps to Reproduce Updated
2012-07-25 04:59 DavidMcIlwraith Note Added: 0003113
2012-07-25 05:00 DavidMcIlwraith Note Edited: 0003113
2012-07-27 04:27 DavidMcIlwraith Relationship added related to 0000540
2012-07-27 22:52 DavidMcIlwraith Status needs work => closed