Support version 1 cert generation

Xuelei Fan Xuelei.Fan at Oracle.Com
Tue May 17 16:12:27 UTC 2016


JDK still support version 1 cert.  Developers may want to test version 1 support of their applications.  I agree that version 1 should be fade out although it is still actively used the practice, especially as self signed cert.

It may be something that we only want to consider for self-signed cert on request.

Thanks,
Xuelei

> On May 17, 2016, at 7:45 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> Hi Xuelei,
> 
> Can you elaborate under what circumstances this is useful for testing? X.509 v3 was first published in 1996, and v1 certificates should be pretty much non-existent these days (although there are some root certs that are still v1). v1 certificates do not support extensions. Adding support may cause users to (accidentally) start using them in practice, which would not be good. PKIX (RFC 3280) states that "Conforming implementations may choose to reject all version 1 and version 2 intermediate certificates." (RFC 5280, section 6.1.4 step k).
> 
> Thanks,
> Sean
> 
>> On 05/17/2016 12:44 AM, Wang Weijun wrote:
>> https://bugs.openjdk.java.net/browse/JDK-8157109 filed.
>> 
>> --Max
>> 
>>> On May 17, 2016, at 12:25 PM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>> 
>>> Hi,
>>> 
>>> Keytool used to generate version 1 self-signed certificates.  Now it is
>>> mandatory to be version 3.  Default version 3 should be OK.  However, in
>>> some circumstances (for example for testing purpose), version 1
>>> self-signed certificate may still be useful.
>>> 
>>> It would be a low priority, but may be nice to add an option to support
>>> specified certificate version number for certificate generation.
>>> 
>>> Thanks,
>>> Xuelei
>> 




More information about the security-dev mailing list