jfisherbah
commented
3 months ago It is preferable for leaf certificates not to include basicConstraints but if included, it is permissible for the CA flag either to be set explicitly to FALSE or to be omitted entirely. FDP_CER_EXT.1.2/OLTleaf updated accordingly. Believe this can be closed.
FDP_CER_EXT.1.2/OLTleaf says "basicConstraints is populated with CA flag equal to false"
Since the default value for the CA flag is false, the DER encoding rules indicate proper encoding is to omit the CA flag to indicate a value of false. Most implementations gracefully handle a false value; however, the FP should not require issuance of non-standard certificates.
Please see https://lightshipsec.com/x-509-cafalse-testing/ for additional technical details.