Why is localhost self-signed cert a CA cert?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I am building a mail server on Centos 6.3 and working with OpenSSL to 
create a self-signed certificate for mail use.

Along the line of learning the 'best' options to use for OpenSSL and 
dealing with the default SSL virtual host for Apache, I discovered that 
the localhost cert created (I believe) during firstboot has the X509v3 
extensions set as a CA cert (eg basicConstraint CA:TRUE).  I was once 
very involved in PKIX and legal issues on certificate policy.  Having 
the localhost cert being a CA cert, thus allowed to sign other certs, 
MAY have legal implications in the USofA and EU.

Why was this chosen?  Why is not -extensions v3_req used in the 
certificate creation?

Oh you can see this for yourself with:

openssl x509 -in /etc/pki/certs/localhost.crt -text -nameopt multiline 
-noout|more


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux