Re: tls init def ctx failed: -1 with my cacert signed certs

Karsten Künne wrote:

They might not support the AKI extension which is surprising as this extension is rather trivial to add.

Well, they should add it to be compliant with PKIX cert profile.

RFC 5280, section 4.2.1.1.:

The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction. There is one exception; where a CA distributes its public key in the form of a "self-signed" certificate, the authority key identifier MAY be omitted.

Ciao, Michael.