I am trying to provide a test certificate generated by openssl-3.0.0-alpha10 to a third party certificate parser/manager. This software expects AlgorithmIdentifier to either have parameters or to have null encoded (05 00) parameters which seems to be missing in the certificate.
Certificate generated by openssl-3.0.0-alpha10 0:d=0 hl=4 l=1030 cons: SEQUENCE 4:d=1 hl=4 l= 752 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :01 * 16:d=2 hl=2 l= 11 cons: SEQUENCE * * 18:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption* * 29:d=2 hl=3 l= 143 cons: *SEQUENCE 32:d=3 hl=2 l= 11 cons: SET 34:d=4 hl=2 l= 9 cons: SEQUENCE 36:d=5 hl=2 l= 3 prim: OBJECT :countryName Certificate generated by openssl-1.1.1g 0:d=0 hl=4 l= 988 cons: SEQUENCE 4:d=1 hl=4 l= 708 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :01 * 16:d=2 hl=2 l= 13 cons: SEQUENCE * * 18:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption* * 29:d=3 hl=2 l= 0 prim: NULL * 31:d=2 hl=3 l= 143 cons: SEQUENCE 34:d=3 hl=2 l= 11 cons: SET 36:d=4 hl=2 l= 9 cons: SEQUENCE 38:d=5 hl=2 l= 3 prim: OBJECT :countryName >From https://tools.ietf.org/html/rfc5280#section-4.1.1.2, It isn't clear if NULL parameters can be completely omitted or if it should still have NULL encoding. Is this a too stringent check in the third-party s/w or a miss in openss-3.0.0-alpha10? Thanks, Thulasi.