search for: usofa

...reated (I believe) during firstboot has the X509v3 extensions set as a CA cert (eg basicConstraint CA:TRUE). I was once very involved in PKIX and legal issues on certificate policy. Having the localhost cert being a CA cert, thus allowed to sign other certs, MAY have legal implications in the USofA and EU. Why was this chosen? Why is not -extensions v3_req used in the certificate creation? Oh you can see this for yourself with: openssl x509 -in /etc/pki/certs/localhost.crt -text -nameopt multiline -noout|more