Feature #15818
closed
Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical
Added by Steve Wheeler about 2 months ago.
Updated 12 days ago.
Plus Target Version:
25.03
Description
CA certs created and exported from pfSense can fail verification because the Basic Constraints extension is not marked critical.
Basic Constraints
Certificate Authority: Yes
Max Path Length: Unlimited
Critical: No
Mark this critical to allow import/verification in all cases.
- Subject changed from CA certs created in pfSense do not have the Basic Constraints extension marked critical to Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical
- Status changed from New to In Progress
- Assignee set to Jim Pingle
- Target version changed from Future to 2.8.0
At one point we had disabled this because certain clients didn't like that being marked as critical, but that note was no less than 20 years old.
I changed it to be critical when CA is true, if we get reports of problems we can always flip it back or make it optional.
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
- Plus Target Version changed from 25.01 to 25.03
- Status changed from Feedback to Resolved
Newly created CAs now have the basic constraints marked critical:
X509v3 Basic Constraints: critical
CA:TRUE
Existing CA entries renewed in the GUI also get the same treatment.
Also available in: Atom
PDF
Updated by 
Updated by