On 01/08/2013 06:31 PM, Craig White wrote: > On Jan 8, 2013, at 4:27 PM, Robert Moskowitz wrote: > >> On 01/08/2013 05:07 PM, Gordon Messmer wrote: >>> On 01/08/2013 11:49 AM, Robert Moskowitz wrote: >>>> Why was this chosen? Why is not -extensions v3_req used in the >>>> certificate creation? >>> Because it has to be able to sign itself? >> I just checked a couple RFCs. If this is a root CA cert, of course it is >> self-signed. By definition. >> >> But a self-signed server cert is not a CA root cert.... > ---- > it is a CA root certificate if I say it is. On further review there is a /etc/pki/CA/certs (and .../CA/private) for the placement of CA certs. /etc/pki/tls is for end-entity certs.