Openssl req signs certificate with "Basic Constraints: CA: TRUE"

Glen Huang heyhgl at gmail.com
Thu Jan 27 06:00:32 UTC 2022


Hi,

I’m trying to create a signed certificate from a CA certificate without creating a CSR first. From the doc, I came up with this command:

```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out leaf.crt
```

However,

```
openssl x509 -in leaf.crt -text -noout
```

reports that it contains:

```
X509v3 Basic Constraints: critical
    CA:TRUE
```

Which should be incorrect, since leaf.crt has an issuer and is not a CA.

I wonder if this is by design? Is there a way to omit the basic constraints extension in a leaf certificate?

I’m using 3.0.1.

Regards,
Glen


More information about the openssl-users mailing list