On 01/08/2013 06:38 PM, Gordon Messmer wrote:
On 01/08/2013 03:27 PM, Robert Moskowitz wrote:
I just checked a couple RFCs. If this is a root CA cert, of course it is self-signed. By definition.
Yes.
But a self-signed server cert is not a CA root cert....
Yes, it is. A certificate is a root cert unless some other certificate has signed it. x509 creates a chain of trust. The root of that chain is the certificate which has no other certificate's signature on it. A self-signed cert is its own root, and all root certificates are self-signed.
CA:TRUE means it is a signing cert. In RFC 5280, app C.2 end-entity cert:
(g) the certificate is an end entity certificate, as the basic constraints extension is not present;