RT3809: basicConstraints is critical This is really a security bugfix, not enhancement any more. Everyone knows critical extensions. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 53c4bef..b3e7444 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf
@@ -233,11 +233,7 @@ authorityKeyIdentifier=keyid:always,issuer -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true +basicConstraints = critical,CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best