Might be in OpenSAML, not sure, but the code generating the keys at install time seems to be including a basic constraint of CA:true, which while “allowed” is kind of silly and just inviting complaints. No reason to keep doing that if we can fix it.
Environment
None
Activity
Scott Cantor March 18, 2025 at 12:15 PM
No, CAs have to have a basic constraint extension. Nevertheless, it’s a good idea to be explicit about it.
Takeshi Nishimura March 18, 2025 at 6:50 AM
I thought that the certificate was issued by itself, so it must be a CA certificate as well.
Rod Widdowson March 17, 2025 at 2:42 PM
Done.
To be explicit. There was nothing about “CA:true” either in the code or in the output we genereated (as per OpenSSL -text
Might be in OpenSAML, not sure, but the code generating the keys at install time seems to be including a basic constraint of CA:true, which while “allowed” is kind of silly and just inviting complaints. No reason to keep doing that if we can fix it.