Hi,

I have modified the [ v3_ca ] extension section in my openssl.cnf so that the basicConstraints is set as follows:

basicConstraints - CA:true,pathlen:1

This is to work around an existing weblogic bug.

Problem is when I generate my CA, the cacert.pem is not picking up these settings:

Generated output:

....

X509v3 extenstions:

x509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, SSL Server, S/MIME, Object Signing
Netscape Comment:
OpenSSL Generawted Certificate

....

It seems that I specified in openssl.cnf isn't getting picked up. I should see something like:

x509v3 Basic Constraints:

BasicConstraints:[
CA:true
PathLen:1
]

Any ideas? Thanks in advance!