I'm reposting my question from discussions.apple.com since it hasn't been answered, yet:
Certificates created with "/System/Library/CoreServices/Certificate Assistant.app" (verion 2.0, build 32175) lack many standard X509v3 extensions, not limited to but most notably:
- Subject Key Identifier ( 2 5 29 14 )
- Authority Key Identifier ( 2 5 29 35 )
- Certificate Policies ( 2 5 29 32 )
- CRL Distribution Points ( 2 5 29 31 )
- Certificate Authority Information Access ( 1 3 6 1 5 5 7 1 1 )
Also, when a certificate requests is signed by a self-made / self-signed CA, a corresponding plist file (found in "~/Library/Application Support/Certificate Authority//*.certAuthorityConfig") governs which extensions are included in the certificate. certAuthorityConfig supports extension like e.g.
- Key Usage ( 2 5 29 15 ) via KeyUsageExtensionIsEnabled
- Extended Key Usage ( 2 5 29 37 ) via ExtendedKUEPresent
but lacks respective keys to support further extensions like the ones mentioned above.
I wonder if the default certAuthorityConfig file created by Certificate Assistant.app omits to include (undocumented) keys for other extensions that Keychain (versions: 4.0.2, build: 35210) otherwise seems to support or if there really is no support for any extensions other than key usage?
- Is there any other way to have custom extensions included in self-made certificates??
- Is there somewhere a reference for certAuthorityConfig files?