On Sun, Jan 21, 2018 at 1:31 PM, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > > ... > OpenSSL interprets the "extendedKeyUsage" extension in CA certificates > as a restriction on the allowed extended key usages of leaf certificates > that can be issued by that CA. > > You should typically not specify extended key usage for CA certificates > at all, unless you mean to restrict them to specific purposes. The behavior is inconsistent with RFC 5280: 4.2.1.12. Extended Key Usage This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates. This extension is defined as follows ... Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users