Require intermediate CAs to have basicConstraints CA:true.
Previously, it was sufficient to have certSign in keyUsage when the
basicConstraints extension was missing. That is still accepted in
a trust anchor, but is no longer accepted in an intermediate CA.
Reviewed-by:
Rich Salz <rsalz@openssl.org>
Please register or sign in to comment