On 01/08/2013 05:07 PM, Gordon Messmer wrote: > On 01/08/2013 11:49 AM, Robert Moskowitz wrote: >> Why was this chosen? Why is not -extensions v3_req used in the >> certificate creation? > Because it has to be able to sign itself? No. A self-signed cert need not and actually SHOULD not be a CA cert according to PKIX standards. CA is for signing other certs.