Actions
Feature #15818
closed
Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
25.03
Release Notes:
Default
Description
CA certs created and exported from pfSense can fail verification because the Basic Constraints extension is not marked critical.
Basic Constraints Certificate Authority: Yes Max Path Length: Unlimited Critical: No
Mark this critical to allow import/verification in all cases.
Updated by Steve Wheeler about 2 months ago
Updated by Jim Pingle 16 days ago
- Subject changed from CA certs created in pfSense do not have the Basic Constraints extension marked critical to Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical
- Status changed from New to In Progress
- Assignee set to Jim Pingle
- Target version changed from Future to 2.8.0
Updated by Jim Pingle 16 days ago
At one point we had disabled this because certain clients didn't like that being marked as critical, but that note was no less than 20 years old.
I changed it to be critical when CA is true, if we get reports of problems we can always flip it back or make it optional.
Updated by Jim Pingle 16 days ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset cf7dde5a357685b84688dc4b52a0dee57e0af381.
Updated by Jim Pingle 13 days ago
- Plus Target Version changed from 25.01 to 25.03
Updated by Jim Pingle 12 days ago
- Status changed from Feedback to Resolved
Newly created CAs now have the basic constraints marked critical:
X509v3 Basic Constraints: critical
CA:TRUE
Existing CA entries renewed in the GUI also get the same treatment.
Actions