On Tue, Jul 05, 2005, Martin Kraemer wrote: > When creating a certificate using an openssl CA, I specify the x509v3 > extension basicConstraints = critical,CA:FALSE. > Looking at the generated certificate using > > % openssl x509 -noout -text -purpose -in nonca.pem > ... > X509v3 Basic Constraints: critical > CA:FALSE <==================== > ... > Certificate purposes: > SSL client : Yes > SSL client CA : No > SSL server : Yes > SSL server CA : No > Netscape SSL server : Yes > Netscape SSL server CA : No > S/MIME signing : Yes > S/MIME signing CA : No > S/MIME encryption : Yes > S/MIME encryption CA : No > CRL signing : No > CRL signing CA : No > Any Purpose : Yes > Any Purpose CA : Yes <================== > OCSP helper : Yes > OCSP helper CA : No > > How can this be, CA usage is "critical"ly forbidden, yet the CA > usage for "Any Purpose" is possible ??? Is this an openssl problem, > or a misunderstanding on my side? >
The "Any Purpose" setting is something which lets anything through and performs no checks at all. It was put there originally as a way for people to use broken certificates if they had no other choice and could live with the consequences. This setting has to be explicitly requested in code: meaning it can't be accidentally set. Since then CA checks have been made mandatory in the code even if "Any Purpose" is set. So if you actually tried to use that certificate as a CA it would be rejected. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
