I'm leaning towards marking this bug as Won't Fix. As stated above, this
is needed by a minority of users and the current configuration (which is
still the same regarding this) is therefore sound for the vast majority
of users. Moreover this would have consequences for this majority of
users as stated in the configuration:
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/50333
Title:
Default configuration file prevents the creation of a valid
Certificate Authority
Status in openssl package in Ubuntu:
Confirmed
Bug description:
When using the default configuration file and the script
/usr/lib/ssl/misc/CA.[sh|pl] -newca is run, the certificate authority
created by the script is not authorized to issue certificates.
An error is issued by Windows' clients after the certificate is
imported:
"This Certificate is not valid because one of the certification
authorities in the certification path does not appear to be allowed to
issue certificates or this certificate cannot be used as an end-entity
certificate."
To correct the problem, one line needs to be modified in the [
CA_default ] section of /etc/ssl/openssl.cnf:
Change this:
x509_extensions = usr_crt
To this:
x509_extensions = v3_ca
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/50333/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
