Try it for yourself.
sign_req() is never called when building a CA:
|
# Append first any COMMON file (if present) then the cert-type extensions |
|
cat "$EASYRSA_EXT_DIR/COMMON" |
|
cat "$EASYRSA_EXT_DIR/$crt_type" |
|
# copy req extensions |
|
[ "$EASYRSA_CP_EXT" ] && print "copy_extensions = copy" |
|
|
|
# Support a dynamic CA path length when present: |
|
[ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \ |
|
print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN" |
|
|
|
# Deprecated Netscape extension support, if enabled |
|
if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then |
|
[ -n "$EASYRSA_NS_COMMENT" ] && \ |
|
print "nsComment = \"$EASYRSA_NS_COMMENT\"" |
|
case "$crt_type" in |
|
serverClient) print "nsCertType = serverClient" ;; |
|
server) print "nsCertType = server" ;; |
|
client) print "nsCertType = client" ;; |
|
ca) print "nsCertType = sslCA" ;; |
|
esac |
|
fi |
EasyRSA CA certificates have not supported Netscape extensions for some time.
