[Help-gnutls] Re: gnutls_x509_crt_set_version documentation suggestion

Simon Josefsson simon at josefsson.org
Thu Mar 15 12:29:58 CET 2007

Florian Weimer <fweimer at bfk.de> writes:

> It might be a good idea to add the following information to the
> documentation for gnutls_x509_crt_set_version:
>   To create well-formed certificates, you must specify version 3 if
>   you use any certificate extensions.  Extensions are created by
>   functions such as gnutls_x509_crt_set_subject_alternative_name or
>   gnutls_x509_crt_set_key_usage.


> (I don't know if GNUTLS supports the v2 extensions.)

I'm not familiar with v2 certificates... It might be possible to
create them using the GnuTLS API's.

> GNUTLS doesn't check if a v1 certificate contains any extensions, but
> other X.509 implementations do.

I've added checking this to the TODO list:

- Chain verifications.
  - Reject extensions in v1 certificates.


More information about the Gnutls-help mailing list