Ensure 'critical' basicConstraint for CA cert

sgallagher · sgallagher · commit 4af232e4ddd2 · 2025-04-22T13:12:33.000-04:00
Fixes: #74 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
diff --git a/src/authority.c b/src/authority.c
@@ -123,7 +123,8 @@ create_private_CA (TALLOC_CTX *mem_ctx,
   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
 
   /* Mark it as a CA */
-  ex = X509V3_EXT_conf_nid (NULL, NULL, NID_basic_constraints, "CA:TRUE");
+  ex = X509V3_EXT_conf_nid (
+    NULL, NULL, NID_basic_constraints, "critical,CA:TRUE");
   CHECK_MEM (ex);
   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
 
diff --git a/test/test_cert_validity.sh b/test/test_cert_validity.sh
@@ -204,7 +204,7 @@ key_strength=$(openssl pkey -text -noout -in service-key.pem -passin pass:mypass
 test "$key_strength" -eq "$_arg_key_strength"
 
 # Validate the certificates
-openssl verify -CAfile ca.crt service.pem
+openssl verify -x509_strict -CAfile ca.crt service.pem
 
 popd # $TMPDIR
 
