honor_crq_extensions breaks certificate generation if trying to use a CSR that includes a Subject_Key_Identifier
Description of problem:
In certtool, if using the option honor_crq_extensions
when generating/signing a certificate from a CSR containing a Subject_Key_Identifier
, certtool fails. The error stated is: set_subject_key_id: The request is invalid
. If not using honor_crq_extensions
the certificate can be created from the CSR, but then the other crq extensions are not carried over either. Note that a new Subject_Key_Identifier
is created in tihs case.
Version of gnutls used:
3.6.16-8.el8_9.3.x86_64
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Rocky (RHEL)
How reproducible:
Steps to Reproduce:
- one: Create a CSR containing a Subject_Key_Identifier
- two: Try to create a certificate from that CSR using certtool and using the option honor_crq_extensions
Actual results:
Certtool fails with an error. The error stated is: set_subject_key_id: The request is invalid
Expected results:
A certificate is created from the CSR containing the CRQ extensions. Regarding the Subject_Key_Identifier
there are probably two ways to handle this, either overwrite the existing Subject_Key_Identifier
or respect the one from the CSR. What is the best option I leave up to you.