There are a bunch of ways we aren't really following CAFB rules. Not sure how much it matters. But for example:
7.1.2.1 rules for root certificates:
- SHOULD NOT set
path_length
- MUST include
keyUsage
- MUST be marked critical
- MUST have keyCertSign and cRLSign set
7.1.4.3 CA certificates:
- MUST have a common name, organization name, and country name
7.1.2.3 subscriber certificates:
- MUST have certificatePolicies
- MUST have extKeyUsage
We might have some RFC 5280 fails too, I haven't read it carefully.
There are a bunch of ways we aren't really following CAFB rules. Not sure how much it matters. But for example:
7.1.2.1 rules for root certificates:
path_lengthkeyUsage7.1.4.3 CA certificates:
7.1.2.3 subscriber certificates:
We might have some RFC 5280 fails too, I haven't read it carefully.