Skip to content

[release/10.0] Add Subject Key Identifier and Authority Key Identifier extensions to the generated dev cert #64268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 12, 2025
Merged

[release/10.0] Add Subject Key Identifier and Authority Key Identifier extensions to the generated dev cert #64268

merged 5 commits into from
Nov 12, 2025
+154 −3

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Nov 7, 2025
edited by danegsta
Loading

Backport of #64263 to release/10.0

/cc @danegsta

Add Subject Key Identifier and Authority Key Identifier extensions to the generated dev cert

Add Subject Key Identifier and Authority Key Identifier extensions to the dev cert

Description

Adds the Subject Key Identifier (SKID) and Authority Key Identifier (AKID) extensions to the dev cert to resolve issues with OpenSSL. Additionally increases the certificate version from 4 to 5 to ensure the certificate will be refreshed after a user updates.

OpenSSL uses the SKID and AKID extensions to identify the correct trust chain for a private key (even for a single trusted root certificate like the dev cert). If multiple certificates have the same SKID (or don't have an SKID value) and share the same subject, then the incorrect public certificate may be selected to verify the key, resulting in OpenSSL verification failures.

Fixes #64261

Customer Impact

Having a certificate without the subject key identifier (and authority key identifier) can result in OpenSSL selecting the wrong version of the dev cert to verify a connection.

Regression?

  • Yes
  • No

[If yes, specify the version the behavior has regressed from]

Risk

  • High
  • Medium
  • Low

These are standard certificate extensions and added by default by OpenSSL when creating a self-signed certificate. The implementations used match RFC guidelines.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

When servicing release/2.3

  • Make necessary changes in eng/PatchConfig.props

@DamianEdwards DamianEdwards added the Servicing-consider Shiproom approval is required for the issue label Nov 7, 2025
@wtgodbe wtgodbe added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Nov 12, 2025
@wtgodbe
Copy link
Member

wtgodbe commented Nov 12, 2025

Approved over email

@wtgodbe wtgodbe merged commit 733bb8a into release/10.0 Nov 12, 2025
28 checks passed
@wtgodbe wtgodbe deleted the backport/pr-64263-to-release/10.0 branch November 12, 2025 19:34
@dotnet-policy-service dotnet-policy-service bot added this to the 10.0.0 milestone Nov 12, 2025
@dotnet-maestro dotnet-maestro bot mentioned this pull request Nov 12, 2025
Merged
@wtgodbe wtgodbe modified the milestones: 10.0.0, 10.0.1 Nov 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DamianEdwards DamianEdwards DamianEdwards approved these changes

@bartonjs bartonjs Awaiting requested review from bartonjs

@joperezr joperezr Awaiting requested review from joperezr

Assignees

No one assigned

Labels

Servicing-approved Shiproom has approved the issue

Projects

None yet

Milestone

10.0.1

Development

Successfully merging this pull request may close these issues.

4 participants

@wtgodbe @DamianEdwards @danegsta