Openssl req signs certificate with "Basic Constraints: CA: TRUE"
Glen Huang
heyhgl at gmail.com
Thu Jan 27 06:00:32 UTC 2022
Hi,
I’m trying to create a signed certificate from a CA certificate without creating a CSR first. From the doc, I came up with this command:
```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out leaf.crt
```
However,
```
openssl x509 -in leaf.crt -text -noout
```
reports that it contains:
```
X509v3 Basic Constraints: critical
CA:TRUE
```
Which should be incorrect, since leaf.crt has an issuer and is not a CA.
I wonder if this is by design? Is there a way to omit the basic constraints extension in a leaf certificate?
I’m using 3.0.1.
Regards,
Glen
More information about the openssl-users
mailing list