Hi , We are using openssl 1.0.2j and have 3 level certificates like this. root CA --> intermediate 01 CA-->intermediate02 CA -->Server certificate.
We generated intermediate02 such that it has "basicConstraints" extension and "keyUsage" missing. Now we used this intermediate 02 CA to sign server certificate. We have uploaded the CA certificates on the client side in the trust store. When a connection is made using openssl s_client / curl, we see that connection goes through successfully and the certificate chain is verified successfully OK. We expected the verification to fail as one of the certificate in the chain has "basicConstraints" missing. But openssl allows it. Is this the right behaviour ? If we need to have this check in place how to go about it . ? Thanks, Sandeep
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
