Must non-CA, self-signed certificates have the "keyCertSign" bit set in the keyUsage extension to be "valid?"
If I don't have the bit set and execute the following command: openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem I get the following error: error 20 at 0 depth lookup:unable to get local issuer certificate Maybe the "right" combination is to 1) set the "keyCertSign" bit in keyUsage and 2) set CA:FALSE in basicConstraints? Thanks.