CentOS - Jan 2013 - Why is localhost self-signed cert a CA cert?

I am building a mail server on Centos 6.3 and working with OpenSSL to 
create a self-signed certificate for mail use.

Along the line of learning the 'best' options to use for OpenSSL and 
dealing with the default SSL virtual host for Apache, I discovered that 
the localhost cert created (I believe) during firstboot has the X509v3 
extensions set as a CA cert (eg basicConstraint CA:TRUE).  I was once 
very involved in PKIX and legal issues on certificate policy.  Having 
the localhost cert being a CA cert, thus allowed to sign other certs, 
MAY have legal implications in the USofA and EU.

Why was this chosen?  Why is not -extensions v3_req used in the 
certificate creation?

Oh you can see this for yourself with:

openssl x509 -in /etc/pki/certs/localhost.crt -text -nameopt multiline 
-noout|more

On 01/08/2013 11:49 AM, Robert Moskowitz wrote:
> Why was this chosen?  Why is not -extensions v3_req used in the
> certificate creation?
Because it has to be able to sign itself?

On 01/08/2013 05:07 PM, Gordon Messmer wrote:
> On 01/08/2013 11:49 AM, Robert Moskowitz wrote:
>> Why was this chosen?  Why is not -extensions v3_req used in the
>> certificate creation?
> Because it has to be able to sign itself?
No. A self-signed cert need not and actually SHOULD not be a CA cert 
according to PKIX standards.

CA is for signing other certs.

On 01/08/2013 05:07 PM, Gordon Messmer wrote:
> On 01/08/2013 11:49 AM, Robert Moskowitz wrote:
>> Why was this chosen?  Why is not -extensions v3_req used in the
>> certificate creation?
> Because it has to be able to sign itself?
I just checked a couple RFCs. If this is a root CA cert, of course it is 
self-signed. By definition.

But a self-signed server cert is not a CA root cert....

On Jan 8, 2013, at 4:27 PM, Robert Moskowitz wrote:
> On 01/08/2013 05:07 PM, Gordon Messmer wrote:
>> On 01/08/2013 11:49 AM, Robert Moskowitz wrote:
>>> Why was this chosen?  Why is not -extensions v3_req used in the
>>> certificate creation?
>> Because it has to be able to sign itself?
> 
> I just checked a couple RFCs. If this is a root CA cert, of course it is 
> self-signed. By definition.
> 
> But a self-signed server cert is not a CA root cert....
----
it is a CA root certificate if I say it is.

Craig

On 01/08/2013 06:31 PM, Craig White wrote:
> On Jan 8, 2013, at 4:27 PM, Robert Moskowitz wrote:
>
>> On 01/08/2013 05:07 PM, Gordon Messmer wrote:
>>> On 01/08/2013 11:49 AM, Robert Moskowitz wrote:
>>>> Why was this chosen?  Why is not -extensions v3_req used in the
>>>> certificate creation?
>>> Because it has to be able to sign itself?
>> I just checked a couple RFCs. If this is a root CA cert, of course it
is
>> self-signed. By definition.
>>
>> But a self-signed server cert is not a CA root cert....
> ----
> it is a CA root certificate if I say it is.
Fine. Be that way. But then you still need a server cert to use in the 
SSL default virtual host.

Root certs are for signing other certs, not for using directly in 
applications.

On 01/08/2013 06:31 PM, Craig White wrote:
> On Jan 8, 2013, at 4:27 PM, Robert Moskowitz wrote:
>
>> On 01/08/2013 05:07 PM, Gordon Messmer wrote:
>>> On 01/08/2013 11:49 AM, Robert Moskowitz wrote:
>>>> Why was this chosen?  Why is not -extensions v3_req used in the
>>>> certificate creation?
>>> Because it has to be able to sign itself?
>> I just checked a couple RFCs. If this is a root CA cert, of course it
is
>> self-signed. By definition.
>>
>> But a self-signed server cert is not a CA root cert....
> ----
> it is a CA root certificate if I say it is.
On further review there is a /etc/pki/CA/certs (and .../CA/private) for 
the placement of CA certs. /etc/pki/tls is for end-entity certs.