Hi all
I am trying to request a certificate from a custom ACME provider (Globalsign’s Atlas service), but I am getting the following error:
“description”:"invalid CSR: reserved extension: extension with OID ‘2.5.29.19’ included in CSR
So I tried requesting a certificate with a custom CSR without OID ‘2.5.29.19’/Basic Constraints and that worked without issue.
Is it possible to configure Certify to generate CSRs without the Basic Constraints extension?
Kind regards,
Christian
Interesting! You’re the first to raise this issue. Are the cert issued by this service intended as public end-entity certificates (e.g. certs for a website etc)?
According to RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile basic constraints field must be included by a conforming CA and is used to indicate that the entity the cert represents is a CA or not. [Edit: this is not relevant to our CSR, just the issued cert]
However, yes we can make it optional, or just exclude it altogether if it’s not really needed. We’ll look into this for a future update.
Reviewing this further, it looks like we can indeed skip the Basic Constraints and Key Usage extensions we currently include as the CA will typically ignore those and assign it’s default extensions anyway without them being requested. Our next update will remove these.
Amazing!
Thank you for the quick reply and investigation.
This service is indeed intended for public SSL/TLS certificates.
Kind regards,
Christian
We are planning a release for tomorrow (v6.1.1) which will include this change, subject to testing.
Much appreciated.
I have just tested it and works perfectly.
My company has started offering the Atlas platform for our customers. We will make sure to recommend Certify for use with it!
Kind regards,
Christian