Wrong description in server_ca.config and client_ca.config
Hi Hackers,
The current descriptions for server_ca.config and client_ca.config are
not so accurate. For example, one of the descriptions in
server_ca.config states, "This certificate is used to sign server
certificates. It is self-signed." However, the server_ca.crt and
client_ca.crt are actually signed by the root_ca.crt, which is the only
self-signed certificate. Therefore, it would be more accurate to change
it to "This certificate is used to sign server certificates. It is an
Intermediate CA."
Attached is a patch attempting to fix the description issue.
Best regards,
David
Attachments:
v1-0001-correct-description-for-server_ca-and-client_ca.patchtext/plain; charset=UTF-8; name=v1-0001-correct-description-for-server_ca-and-client_ca.patchDownload
From ddc07447152331c09daecf0202178cfe77a817a9 Mon Sep 17 00:00:00 2001
From: David Zhang <idrawone@gmail.com>
Date: Tue, 27 Feb 2024 10:06:18 -0800
Subject: [PATCH] correct description for server_ca and client_ca
---
src/test/ssl/conf/client_ca.config | 8 +++++---
src/test/ssl/conf/server_ca.config | 8 +++++---
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/src/test/ssl/conf/client_ca.config b/src/test/ssl/conf/client_ca.config
index 5990f06000..08365aac95 100644
--- a/src/test/ssl/conf/client_ca.config
+++ b/src/test/ssl/conf/client_ca.config
@@ -1,7 +1,9 @@
-# An OpenSSL format CSR config file for creating the client root certificate.
-# This configuration file is also used when operating the CA.
+# An OpenSSL format CSR config file for creating the client Intermediate
+# Certificate Authority. This configuration file is also used when operating
+# the CA.
#
-# This certificate is used to sign client certificates. It is self-signed.
+# This certificate is used to sign client certificates. It is an Intermediate
+# CA.
[ req ]
distinguished_name = req_distinguished_name
diff --git a/src/test/ssl/conf/server_ca.config b/src/test/ssl/conf/server_ca.config
index 496aaba29f..15f8d1590f 100644
--- a/src/test/ssl/conf/server_ca.config
+++ b/src/test/ssl/conf/server_ca.config
@@ -1,7 +1,9 @@
-# An OpenSSL format CSR config file for creating the server root certificate.
-# This configuration file is also used when operating the CA.
+# An OpenSSL format CSR config file for creating the server Intermediate
+# Certificate Authority. This configuration file is also used when operating
+# the CA.
#
-# This certificate is used to sign server certificates. It is self-signed.
+# This certificate is used to sign server certificates. It is an Intermediate
+# CA.
[ req ]
distinguished_name = req_distinguished_name
--
2.34.1
On 27 Feb 2024, at 20:38, David Zhang <david.zhang@highgo.ca> wrote:
Hi Hackers,
The current descriptions for server_ca.config and client_ca.config are not so accurate. For example, one of the descriptions in server_ca.config states, "This certificate is used to sign server certificates. It is self-signed." However, the server_ca.crt and client_ca.crt are actually signed by the root_ca.crt, which is the only self-signed certificate.
IIRC the intent was to say it isn't signed by an official CA, but I agree it's
misleading.
Therefore, it would be more accurate to change it to "This certificate is used to sign server certificates. It is an Intermediate CA."
Agreed. We should perhaps add the "This certificate is self-signed" sentence
to root_ca.conf as well while at it, it's currently only mentioned in
sslfiles.mk and adding it to the config would make the documentation more
consistent.
Attached is a patch attempting to fix the description issue.
Thanks, I'll have another look and will apply.
--
Daniel Gustafsson