> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
>
>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
>> as a restriction on the allowed extended key usages of leaf certificates
>> that can be issued by that CA.
>>
>> You should typically not specify extended key usage for CA certificates
>> at all, unless you mean to restrict them to specific purposes.
>
> The behavior is inconsistent with RFC 5280:
>
> 4.2.1.12. Extended Key Usage
>
> This extension indicates one or more purposes for which the certified
> public key may be used, in addition to or in place of the basic
> purposes indicated in the key usage extension. In general, this
> extension will appear only in end entity certificates. This
> extension is defined as follows ...
We're well aware of this, but this is the de-facto behaviour of
multiple implementations. This is an area in which RFC5280 fails
to match the real world.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
