[Bug 50333] Re: Default configuration file prevents the creation of a valid Certificate Authority

[Adrien Nader]

I'm leaning towards marking this bug as Won't Fix. As stated above, this
is needed by a minority of users and the current configuration (which is
still the same regarding this) is therefore sound for the vast majority
of users. Moreover this would have consequences for this majority of
users as stated in the configuration:

    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/50333

Title:
  Default configuration file prevents the creation of a valid
  Certificate Authority

Status in openssl package in Ubuntu:
  Confirmed

Bug description:
  When using the default configuration file and the script
  /usr/lib/ssl/misc/CA.[sh|pl] -newca is run, the certificate authority
  created by the script is not authorized to issue certificates.

  An error is issued by Windows' clients after the certificate is
  imported:

  "This Certificate is not valid because one of the certification
  authorities in the certification path does not appear to be allowed to
  issue certificates or this certificate cannot be used as an end-entity
  certificate."

  To correct the problem, one line needs to be modified in the [
  CA_default ] section of /etc/ssl/openssl.cnf:

  Change this:

  x509_extensions = usr_crt

  To this:

  x509_extensions = v3_ca

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/50333/+subscriptions