JDK still support version 1 cert. Developers may want to test version 1 support of their applications. I agree that version 1 should be fade out although it is still actively used the practice, especially as self signed cert.
It may be something that we only want to consider for self-signed cert on request. Thanks, Xuelei > On May 17, 2016, at 7:45 PM, Sean Mullan <sean.mul...@oracle.com> wrote: > > Hi Xuelei, > > Can you elaborate under what circumstances this is useful for testing? X.509 > v3 was first published in 1996, and v1 certificates should be pretty much > non-existent these days (although there are some root certs that are still > v1). v1 certificates do not support extensions. Adding support may cause > users to (accidentally) start using them in practice, which would not be > good. PKIX (RFC 3280) states that "Conforming implementations may choose to > reject all version 1 and version 2 intermediate certificates." (RFC 5280, > section 6.1.4 step k). > > Thanks, > Sean > >> On 05/17/2016 12:44 AM, Wang Weijun wrote: >> https://bugs.openjdk.java.net/browse/JDK-8157109 filed. >> >> --Max >> >>> On May 17, 2016, at 12:25 PM, Xuelei Fan <xuelei....@oracle.com> wrote: >>> >>> Hi, >>> >>> Keytool used to generate version 1 self-signed certificates. Now it is >>> mandatory to be version 3. Default version 3 should be OK. However, in >>> some circumstances (for example for testing purpose), version 1 >>> self-signed certificate may still be useful. >>> >>> It would be a low priority, but may be nice to add an option to support >>> specified certificate version number for certificate generation. >>> >>> Thanks, >>> Xuelei >>
