[openssl-users] Fwd: basic constraints check
Sandeep Deshpande
sandeep.bvb at gmail.com
Thu May 31 17:23:38 UTC 2018
Hi ,
We are using openssl 1.0.2j and have 3 level certificates like this.
root CA --> intermediate 01 CA-->intermediate02 CA -->Server certificate.
We generated intermediate02 such that it has "basicConstraints" extension
and "keyUsage" missing. Now we used this intermediate 02 CA to sign server
certificate.
We have uploaded the CA certificates on the client side in the trust store.
When a connection is made using openssl s_client / curl, we see that
connection goes through successfully and the certificate chain is verified
successfully OK.
We expected the verification to fail as one of the certificate in the chain
has "basicConstraints" missing. But openssl allows it. Is this the right
behaviour ?
If we need to have this check in place how to go about it . ?
Thanks,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180531/33964082/attachment.html>
More information about the openssl-users
mailing list