From a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 Mon Sep 17 00:00:00 2001
From: Rich Salz <rsalz@openssl.org>
Date: Sun, 12 Jun 2016 22:21:54 -0400
Subject: RT3809: basicConstraints is critical

This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
---
 test/certs/mkcert.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'test/certs')

diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index ec2e374038..daa0679ee8 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -88,7 +88,7 @@ genroot() {
     local skid="subjectKeyIdentifier = hash"
     local akid="authorityKeyIdentifier = keyid"
 
-    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
     for eku in "$@"
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
@@ -107,7 +107,7 @@ genca() {
     local skid="subjectKeyIdentifier = hash"
     local akid="authorityKeyIdentifier = keyid"
 
-    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
     for eku in "$@"
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
-- 
cgit v1.2.3