Re: Enrico Zini 2017-09-05 <[email protected]>
> I refactored the certificate generation code for sso.debian.org, and the
> certificates it generates now still work in Firefox but not in Chrome.
My guess is that the new-style certificates are missing some
attributes:
Old certificate from 2015:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication
New certificate from this week:
X509v3 extensions:
X509v3 Subject Alternative Name:
email:[email protected]
X509v3 Basic Constraints: critical
CA:FALSE
I'll see if I can add that.
Christoph
