On Fri, Jan 04, 2013 at 12:30:50PM -0500, Robert Moskowitz wrote:
> >There is nothing wrong with "CA:true" in a self-signed SSL certificate.
>
> By some definitions of 'wrong' :)
>
> You may not have attended the same sort of PKI policy meetings that
> I lived through! But since this is in large measure a policy issue,
> we will leave it there.
What meetings you happened to attend is of no consequence.
> I will test with user_cert over v3_req that I learned about over on
> the OpenSSL list. See how they compare.
It is "usr_cert", not "user_cert". The difference in the resulting
extensions is:
v3_req:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
usr_cert:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AD:3C:28:E3:E5:B5:F3:0A:5C:63:AB:08:15:4E:1C:42:A3:D5:83:E6
X509v3 Authority Key Identifier:
keyid:AD:3C:28:E3:E5:B5:F3:0A:5C:63:AB:08:15:4E:1C:42:A3:D5:83:E6
default (v3_ca):
X509v3 Subject Key Identifier:
EC:1C:FE:EE:26:9E:09:44:8C:75:5C:F7:1E:38:32:4A:FA:93:FA:E6
X509v3 Authority Key Identifier:
keyid:EC:1C:FE:EE:26:9E:09:44:8C:75:5C:F7:1E:38:32:4A:FA:93:FA:E6
X509v3 Basic Constraints:
CA:TRUE
Perhaps of the three "v3_req" is the closest to a sensible set of
extensions for an endpoint certificate.
--
Viktor.
