> On Jan 22, 2018, at 1:47 AM, Jeffrey Walton <noloader@xxxxxxxxx> wrote: > > I think you have a couple of choices. > > First, you can downgrade to a version of OpenSSL that follows the RFC. > Second, you can patch OpenSSL to follow the RFC. Third, you can > implement the verify_callback and override the errant behavior. None of this is necessary. The OP indicates that the *leaf* certificate has certain required extended key usages, but there is no indication that the same applies to the intermediate CA. The solution is to use a CA chain in which NONE of the CA certificates have an extended key usage extension. ONLY the leaf certificate should have that extension. CA certificates should have extended key usage specified when intended to only issue leaf certificates that are to be used ONLY for the listed purposes. General-purpose CAs should not have extended key usage. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
