Is your feature request related to a problem? Please describe.
ZAP's dynamically-generated leaf certificates (issued by its MITM CA) are missing the AuthorityKeyIdentifier (AKI) X.509v3 extension. This causes SSL verification failures in Python 3.13+ clients using urllib3 2.x or requests 4.x, which now strictly enforce RFC 5280.
Steps to Reproduce
- Run ZAP as a MITM/Transparent proxy (any recent version with the network addon)
- Configure a Python 3.13+ client to use the ZAP CA and proxy
- Make an HTTPS request through ZAP
Error
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)'))': /riskCirrusCore/deployments?filter=eq%28solution_cd%2CST%29
Describe the solution you'd like:
Root Cause
CertificateUtils.createServerCertificateImpl() in:
addOns/network/src/main/java/org/zaproxy/addon/network/internal/cert/CertificateUtils.java
adds basicConstraints and subjectKeyIdentifier to leaf certs but omits authorityKeyIdentifier.
Describe alternatives you've considered:
Patching the ZAP Docker image at build time by recompiling CertificateUtils.java with the AKI extension added this works but requires maintaining a custom image patch for every ZAP release.
Screenshots:
No response
Additional context:
No response
Would you like to help fix this issue?
Is your feature request related to a problem? Please describe.
ZAP's dynamically-generated leaf certificates (issued by its MITM CA) are missing the AuthorityKeyIdentifier (AKI) X.509v3 extension. This causes SSL verification failures in Python 3.13+ clients using urllib3 2.x or requests 4.x, which now strictly enforce RFC 5280.
Steps to Reproduce
Error
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)'))': /riskCirrusCore/deployments?filter=eq%28solution_cd%2CST%29
Describe the solution you'd like:
Root Cause
CertificateUtils.createServerCertificateImpl() in:
addOns/network/src/main/java/org/zaproxy/addon/network/internal/cert/CertificateUtils.java
adds basicConstraints and subjectKeyIdentifier to leaf certs but omits authorityKeyIdentifier.
Describe alternatives you've considered:
Patching the ZAP Docker image at build time by recompiling CertificateUtils.java with the AKI extension added this works but requires maintaining a custom image patch for every ZAP release.
Screenshots:
No response
Additional context:
No response
Would you like to help fix this issue?