I'm leaning towards marking this bug as Won't Fix. As stated above, this is needed by a minority of users and the current configuration (which is still the same regarding this) is therefore sound for the vast majority of users. Moreover this would have consequences for this majority of users as stated in the configuration:
# This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/50333 Title: Default configuration file prevents the creation of a valid Certificate Authority Status in openssl package in Ubuntu: Confirmed Bug description: When using the default configuration file and the script /usr/lib/ssl/misc/CA.[sh|pl] -newca is run, the certificate authority created by the script is not authorized to issue certificates. An error is issued by Windows' clients after the certificate is imported: "This Certificate is not valid because one of the certification authorities in the certification path does not appear to be allowed to issue certificates or this certificate cannot be used as an end-entity certificate." To correct the problem, one line needs to be modified in the [ CA_default ] section of /etc/ssl/openssl.cnf: Change this: x509_extensions = usr_crt To this: x509_extensions = v3_ca To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/50333/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp