Hi, I have a chain of certificates C->B->A->RootCA. The TLS client only presents C during the TLS handshake. RootCA has the Certificate Sign extension set but not B and A. The TLS server fails the TLS handshake because of the absence of the Certificate Sign extension in B and A. My first question: if the TLS server has the entire chain of certificates B->A->RootCA in its truststore, is it correct to assume that the Certificate Sign extension is not required in B and A? My second question: by default the TLS server will fail the TLS handshake because of the absence of the Certificate Sign extension. Is there a recommended way to disables the check for this extension in the TLS handshake? Thanks, Mourad.
