Viktor Dukhovni wrote: >> On Jan 19, 2018, at 10:09 PM, Frank Migge <f...@frank4dd.com> wrote: >> >>>> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication >> >> This is were I would check first. >> >> I am not fully sure, but believe that Extended Key Usage should *not* be >> there. > > Indeed the intermediate CA should either not have an extendedKeyUsage, or that > keyUsage should include the desired "purpose".
Full ack. But unfortunately M$ implemented this requirement to add such a value to Extended Key Usage of intermediate CA certs violating X.509 and RFC 5280. And now all PKI lemmings are following this crap. => use your own CA Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
