section [ easyrsa_ca ] in openssl-easyrsa.cnf is ignored

[febs]

Trying to alter the basicConstraint to set CA:TRUE as critical, as imposed by rfc5280 paragraph 4.2.1.9:

Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.

the build_ca ignores what's in that section and generate a CA certificate that does not have the "critical" constraint. Also trying to forcefully set "CA:FALSE" is ignored, suggesting that the section is ignored as a whole.

If that is not the section actually used by build_ca to create a new CA, then what is it, and what is the purpose of the [ easyrsa_ca ] section then?

Many thanks for any clarification.

[TinCanTech]

Which version of Easy-RSA are you using ?

[febs]

EasyRSA Version Information Version: 3.1.7 Generated: Fri Oct 13 17:27:51 CDT 2023 SSL Lib: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) Git Commit: 3c233d279d43e419b0529411ee62bba7a08f0c0f Source Repo: https://github.com/OpenVPN/easy-rsa

[TinCanTech]

Easy-RSA does not support basicConstraint critical at this time.

Work is being done here: #1063

Take a look in x509-types folder, you can make changes there.

[febs]

Thanks for your reply. I still don't get what the section named

[ easyrsa_ca ]

is for.

If that isn't used at all, may I suggest to remove it from the .cnf file altogether? It might cause confusion otherwise.

Thanks for your assistance,

[febs]

Also, editing x509-types worked, so it is supported apparently.

Thank you,

[TinCanTech]

I still don't get what the section named

[ easyrsa_ca ]

is for.

It is used here:

# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it