When creating a certificate using an openssl CA, I specify the x509v3 extension basicConstraints = critical,CA:FALSE. Looking at the generated certificate using
% openssl x509 -noout -text -purpose -in nonca.pem ... X509v3 Basic Constraints: critical CA:FALSE <==================== ... Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes <================== OCSP helper : Yes OCSP helper CA : No How can this be, CA usage is "critical"ly forbidden, yet the CA usage for "Any Purpose" is possible ??? Is this an openssl problem, or a misunderstanding on my side? Irritated, Martin -- <[EMAIL PROTECTED]> | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]