From 0d5c40e0594cbb45efb681ba06a4da155369dae3 Mon Sep 17 00:00:00 2001
From: LarsBingBong <80959443+LarsBingBong@users.noreply.github.com>
Date: Fri, 24 Feb 2023 20:32:49 +0100
Subject: [PATCH] Mark the IDP critical in the generated CRL data.

Trying to get CRL to work on my environment I've been reading up on [RFC5280](https://www.rfc-editor.org/rfc/rfc5280#section-5.2.5) ... and the IDP to be marked as `Critical`. I hope I'm correct and that my understanding on how to mark the IDP is critical.
Looking at e.g. `https://github.com/smallstep/crypto/blob/3470b1ec576bc912e80ac6c65a495934d4fcc585/x509util/extensions_test.go#L48` makes me think so.

---

Hopefully the above change - if accepted - can get CRL's to work on my environment. If not we're at least one step closer.
---
 authority/tls.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authority/tls.go b/authority/tls.go
index e64bb5fa..b7531ce3 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -786,7 +786,7 @@ func (a *Authority) GenerateCertificateRevocationList() error {
 	// Note that this is currently using the port 443 by default.
 	if b, err := marshalDistributionPoint(fullName, false); err == nil {
 		revocationList.ExtraExtensions = []pkix.Extension{
-			{Id: oidExtensionIssuingDistributionPoint, Value: b},
+			{Id: oidExtensionIssuingDistributionPoint, Critical: true, Value: b},
 		}
 	}