Hi,

I am using openssl and try to validate a self signed certificate where keyUsageSign bit in keyUsage extention is not set. Openssl is rejecting the certificate at TLS handshake time. I try to find does keyUsageSign bit in keyUsage extention, is required for a certificate to be used for signature verification on certificates and find:

Per RFC 5280:

If the keyUsage extension is present, then the subject public key
MUST NOT be used to verify signatures on certificates or CRLs unless
the corresponding keyCertSign or cRLSign bit is set.

So seems like Openssl is behaving correctly. But I wanted to double check if Openssl is indeed behaving correctly. Any suggestion?

If so, is there anyway to make openssl to accept certificate with keyUsageSign bit in keyUsage extention is not set ?

Regards,
Ajay