stmgr keygen certificate generates invalid x.509 certificates
Certificates created by stmgr leaves both issuer and subject empty. https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.4 is very clear that issuer must be non-empty.
This breaks interop with other tools, in particular, I'd expect
openssl verify -trusted ca.cert leaf.certto pass when the certs are created by stmgr, with ca signing the leaf cert.
One potential option for populating the naming fields, which would be consistent with how we use the certs, would be to somehow use the hash of the SubjectPublicKeyInfo as the name. For cert chaining to work in standard x509 tools, I think it's required that
- ca.issuer == ca.subject (indicating self-signed)
- leaf.issuer == ca.subject (to identify key and authority for verifying the cert signature)
- leaf.issuer != leaf.subject (indicating not self-signed)
I think the current failure from openssl is because the leaf cert is generated with leaf.issuer == leaf.subject (both empty), and hence it looks like it is self-signed.