Hi, > > No it just means that most certificates could (in theory) be use as SSL > > > server > > > certificates. If you had appropriate extensions restrictions (e.g. > extended > > > key usage or the deprecated netscape certificate type) you'd notice the > > > difference. > > > > > > > Thanks for the quick answer. Still, does this mean that if I don't use > > -purpose at all, the certification chain would be still be evaluated > > normally, just without checking for certificate purpose? Because the way > the > > docs say it, I would have concluded chain evaluation is not done at all - > > yet it seems to happen. > > > > It just checks CA certificates are valid using basicConstrainsts and > keyUsage > extensions.
Sorry again, but this is somewhat confusing. Your words seem to imply that the correctness of the chain leading up to the root CA is indeed evaluated (else why bother about the CA cert?). Yet the docs say about -purpose: "Without this option no chain verification will be done" If I don't pass -purpose, is the correctness of the chain evaluated at all? Because if it is, I think the wording in the docs is misleading. Ralph
