[ https://issues.jboss.org/browse/ELY-567?page=com.atlassian.jira.plugin.sy... ] David Lloyd edited comment on ELY-567 at 6/8/16 7:46 AM: --------------------------------------------------------- Recently pointed out on the OpenJDK Security Development list: {quote} Hi - To be very specific here - if a certificate has extensions, it MUST be version 3, otherwise it SHOULD be version 1, but may be version 2 or 3. (If a certificate has either of the issuer or subject unique ID fields, it must be at least version 2 - but those fields are deprecated as a MUST NOT for conforming CAs, so you should never issue a certificate with those fields). A CA certificate (i.e. an intermediate certificate) is required to have a basicConstraints extension - and must be a version three certificate. If you do this (support V1 cert gen), I'd make it a side effect of whether or not you add extensions instead of a discrete option. {quote} was (Author: dmlloyd): Recently pointed out on the OpenJDK Security Development list: {blockquote} Hi - To be very specific here - if a certificate has extensions, it MUST be version 3, otherwise it SHOULD be version 1, but may be version 2 or 3. (If a certificate has either of the issuer or subject unique ID fields, it must be at least version 2 - but those fields are deprecated as a MUST NOT for conforming CAs, so you should never issue a certificate with those fields). A CA certificate (i.e. an intermediate certificate) is required to have a basicConstraints extension - and must be a version three certificate. If you do this (support V1 cert gen), I'd make it a side effect of whether or not you add extensions instead of a discrete option. {blockquote} -- This message was sent by Atlassian JIRA (v6.4.11#64026)