On Tue, Jul 05, 2005, Martin Kraemer wrote:

> When creating a certificate using an openssl CA, I specify the x509v3
> extension basicConstraints = critical,CA:FALSE.
> Looking at the generated certificate using
> % openssl x509 -noout -text -purpose -in nonca.pem
> ...
> X509v3 Basic Constraints: critical
> CA:FALSE <====================
> ...
> Certificate purposes:
> SSL client : Yes
> SSL client CA : No
> SSL server : Yes
> SSL server CA : No
> Netscape SSL server : Yes
> Netscape SSL server CA : No
> S/MIME signing : Yes
> S/MIME signing CA : No
> S/MIME encryption : Yes
> S/MIME encryption CA : No
> CRL signing : No
> CRL signing CA : No
> Any Purpose : Yes
> Any Purpose CA : Yes <==================
> OCSP helper : Yes
> OCSP helper CA : No
> How can this be, CA usage is "critical"ly forbidden, yet the CA
> usage for "Any Purpose" is possible ??? Is this an openssl problem,
> or a misunderstanding on my side?

The "Any Purpose" setting is something which lets anything through and
performs no checks at all. It was put there originally as a way for people to
use broken certificates if they had no other choice and could live with the
consequences. This setting has to be explicitly requested in code: meaning it
can't be accidentally set.

Since then CA checks have been made mandatory in the code even if "Any
Purpose" is set. So if you actually tried to use that certificate as a CA it
would be rejected.

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org