> On Jan 22, 2018, at 3:42 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote: > >> Your problem is a misconfigured CA certificate. Make sure your *CA* >> certificate has no extended key usage specified, OR has *all* the key >> usages specified that are required by any leaf certificate it will issue. > > This is wrong. The CA is not misconfigured. You might say so, and yet, with more than just OpenSSL, the CA is not suitable for issuing leaf certificates that are not included in its extended key usage. This is a de facto standard. >>> For my understanding, CA certificate may have these exteded keys - it's just >>> something out of the ordinary. >> >> The extended key usages on the CA are interpreted to LIMIT the key usages >> of certificates it can issue. You can certainly use this extension, but >> then expect the CA to be invalid for key usages you did not list. > > This is wrong. The KU and EKU bits are not interpreted that way. They plainly *are* interpreted in that way, just not by RFC5280, but that's not the point. > Here's the standards OpenSSL claims to implement: > https://www.openssl.org/docs/standards.html. So do many others, and yet when the RFC is impractical, a more practical alternative is implemented. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users