When creating a certificate using an openssl CA, I specify the x509v3
extension basicConstraints = critical,CA:FALSE.
Looking at the generated certificate using

% openssl x509 -noout -text -purpose -in nonca.pem
X509v3 Basic Constraints: critical
CA:FALSE <====================
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes <==================
OCSP helper : Yes
OCSP helper CA : No

How can this be, CA usage is "critical"ly forbidden, yet the CA
usage for "Any Purpose" is possible ??? Is this an openssl problem,
or a misunderstanding on my side?


| Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org