Add more detail to the comment

danegsta · danegsta · commit ee8f30bf11c9 · 2025-11-06T13:24:24.000-08:00
diff --git a/src/Shared/CertificateGeneration/CertificateManager.cs b/src/Shared/CertificateGeneration/CertificateManager.cs
@@ -830,6 +830,8 @@ internal static X509Certificate2 CreateSelfSignedCertificate(
         }
 
         // Only add the SKI and AKI extensions if neither is already present.
+        // OpenSSL needs these to correctly identify the trust chain for a private key. If multiple certificates don't have a subject key identifier and share the same subject,
+        // the wrong certificate can be chosen for the trust chain, leading to validation errors.
         if (!request.CertificateExtensions.OfType<X509SubjectKeyIdentifierExtension>().Any() && !request.CertificateExtensions.OfType<X509AuthorityKeyIdentifierExtension>().Any())
         {
             // RFC 5280 section 4.2.1.2

Original file line number	Diff line number	Diff line change
`@@ -830,6 +830,8 @@ internal static X509Certificate2 CreateSelfSignedCertificate(`
`830`	`830`	`}`
`831`	`831`
`832`	`832`	`// Only add the SKI and AKI extensions if neither is already present.`
	`833`	`+ // OpenSSL needs these to correctly identify the trust chain for a private key. If multiple certificates don't have a subject key identifier and share the same subject,`
	`834`	`+ // the wrong certificate can be chosen for the trust chain, leading to validation errors.`
`833`	`835`	`if (!request.CertificateExtensions.OfType<X509SubjectKeyIdentifierExtension>().Any() && !request.CertificateExtensions.OfType<X509AuthorityKeyIdentifierExtension>().Any())`
`834`	`836`	`{`
`835`	`837`	`// RFC 5280 section 4.2.1.2`