Defining X509 certificate extension as critical


I need to create a timestamping server authority. To do so, I need a certificate with the “timestamping” extension. I am trying to use cfssl to do that.

That was not the case in the certificate created with cfssl. I opened an issue cfssl#815

But searching in the code for creating a PR, I have a doubt :

Is it possible to define an extended key usage as critical ?

i have searched over the past few days but could not find how…

Note: According to RFC3161 sec 2.3 when signing a certificate for a time stamping usage, the extended key usage Time Stamping must be critical.

id-kp-timeStamping. This extension MUST be critical.

if I understood the code in x509/buildExtensions(), Critical flag can not be set on extended key usage

There is the 13739 issue but it does not seems related.

I found a solution on how to proceed but seems ugly…

Is there a better way ?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.