-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
section [ easyrsa_ca ] in openssl-easyrsa.cnf is ignored #1090
Comments
Which version of Easy-RSA are you using ? |
EasyRSA Version Information |
Easy-RSA does not support Work is being done here: #1063 Take a look in |
Thanks for your reply.
is for. If that isn't used at all, may I suggest to remove it from the .cnf file altogether? It might cause confusion otherwise. Thanks for your assistance, |
Also, editing Thank you, |
It is used here:
|
Trying to alter the basicConstraint to set CA:TRUE as critical, as imposed by rfc5280 paragraph 4.2.1.9:
Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.
the build_ca ignores what's in that section and generate a CA certificate that does not have the "critical" constraint. Also trying to forcefully set "CA:FALSE" is ignored, suggesting that the section is ignored as a whole.
If that is not the section actually used by build_ca to create a new CA, then what is it, and what is the purpose of the [ easyrsa_ca ] section then?
Many thanks for any clarification.
The text was updated successfully, but these errors were encountered: