4

so, for a while now I've been trying to figure out how do you issue an SSL certificate with tls 1.3 and not tls 1.2 because I'm not sure if I need to change something in my OpenSSL.cnf file or if I need to add something to it?

here's the extensions i use:

[ server_cert ]<br>
basicConstraints = critical, CA:FALSE<br>
nsCertType = server<br>
subjectKeyIdentifier = hash<br>
authorityKeyIdentifier = keyid,issuer:always<br>
keyUsage = critical, digitalSignature, keyEncipherment<br>
extendedKeyUsage = serverAuth<br>
<br>

how do I add tls 1.3?

CHOO YJ
  • 151
  • 2
  • 5
  • 24
Lucky M
  • 61
  • 1
  • 2

1 Answers1

6

The certificate is independent from the TLS protocol version. You should be able to use the same certificate as you use with TLS 1.2, TLS 1.1, TLS 1.0 etc.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • well ik that but what i was wondering is how do i add tls1.3 support to the certificate when signing it with my ca like the cipher, etc – Lucky M Aug 16 '20 at 21:38
  • @LuckyM If you really do know that the certificate is independent of the protocol version, why are you asking how to put the protocol version into the certificate? – user207421 Aug 17 '20 at 04:16
  • 3
    @LuckyM: The TLS 1.3 support belongs in the client and server implementation and configuration but not in the certificate. Once the support is in implementation and configuration the existing certificate will work with TLS 1.3 too. – Steffen Ullrich Aug 17 '20 at 04:22