Hi Eric, On Tue, 2022-12-13 at 19:33 -0500, Eric Snowberg wrote: > Currently X.509 intermediate certs with the CA flag set to false do not > have the endorsed CA (KEY_FLAG_ECA) set. Allow these intermediate certs to > be added. Requirements for an intermediate include: Usage extension > defined as keyCertSign, Basic Constrains for CA is false, and the > intermediate cert is signed by a current endorsed CA. Intermediary keys should have the CA flag enabled as well. Why is this needed? At least for the new Kconfig, please keep it simple as to which certificates may be added to the machine keyring. thanks, Mimi
