> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote: > >> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates >> as a restriction on the allowed extended key usages of leaf certificates >> that can be issued by that CA. >> >> You should typically not specify extended key usage for CA certificates >> at all, unless you mean to restrict them to specific purposes. > > The behavior is inconsistent with RFC 5280: > > 4.2.1.12. Extended Key Usage > > This extension indicates one or more purposes for which the certified > public key may be used, in addition to or in place of the basic > purposes indicated in the key usage extension. In general, this > extension will appear only in end entity certificates. This > extension is defined as follows ... We're well aware of this, but this is the de-facto behaviour of multiple implementations. This is an area in which RFC5280 fails to match the real world. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
