Werk #15196: Allow CA certificates without key usage restrictions

Component Setup
Title Allow CA certificates without key usage restrictions
Date Nov 20, 2023
Level Trivial Change
Class Bug Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p15 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this Werk, certificates that did not include the KeyUsage extension were not considered CA certificates by Checkmk, as they lack the keyCertSign bit.

While CAs conforming with RFC 5280 MUST include the extension and set this bit, not all do in practice. Recommendation ITU-T X.509 considers only the basicConstraint "cA" required for CAs.

With this Werk, Checkmk will consider setting the cA basicConstraint but not the KeyUsage extension as valid for CA certificates. Note that certificates that do set the KeyUsage extension but lack the keyCertSign bit may still not be used for certificate signing.

To the list of all Werks