> On Jan 21, 2018, at 7:34 AM, Gladewitz, Robert via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > > If I understand your right, then I need to add "TLS Web Client Authentication" > to the CAPF certificate. Or better still, remove the "ExtendedKeyUsage" extension from the CA certificate and thus specify neither "TLS Web Client Authentication", nor ""TLS Web Server Authentication". When you "tag" a CA certificate with a given list of "purpose" OIDs, it is then not considered valid for the purposes that are not listed. > But I have a question. In Freeradius I use the CAPF cert only as a CA > cert, not as a server or client cert. The only function is to check > the client cert is signed from CAPF. For only check this, the CA need > "TLS Web Client Authentication"?? OpenSSL interprets the "extendedKeyUsage" extension in CA certificates as a restriction on the allowed extended key usages of leaf certificates that can be issued by that CA. You should typically not specify extended key usage for CA certificates at all, unless you mean to restrict them to specific purposes. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
