node-opcua / node-opcua-pki / 23502520025

92%

push

github

fix(ca): use separate v3_ca_req section for CSR generation

OpenSSL 3.5.x (Alpine) rejects ANY authorityKeyIdentifier
value during CSR generation — even plain `keyid` — because
v3_akid.c unconditionally looks for an issuer certificate
that does not exist yet during root CA bootstrap.

The fix introduces a dedicated `v3_ca_req` config section
for the CSR step (`openssl req -extensions v3_ca_req`) that
omits `authorityKeyIdentifier` entirely.  The self-signing
step continues to use `-extensions v3_ca` which retains the
full `authorityKeyIdentifier = keyid:always,issuer:always`
since the issuer key is available at that point.

This is architecturally cleaner than the previous attempt
(changing `keyid:always` to `keyid`) because:

  1. CSR extensions should not include issuer-dependent
     fields — they are just "requests"
  2. The final certificate gets the correct extensions
     during self-signing via v3_ca
  3. v3_ca retains the original, strict setting

Tested with:
  - OpenSSL 3.0.x  (Ubuntu CI)   — passes
  - OpenSSL 3.4.1  (Windows)     — 170 tests pass
  - OpenSSL 3.5.5  (Alpine CI)   — passes (was failing)

Refs:
  - https://github.com/openssl/openssl/issues/21519
  - OpenSSL man x509v3_config(5) - authorityKeyIdentifier

247 of 344 branches covered (71.8%)

1172 of 1271 relevant lines covered (92.21%)

266.06 hits per line