X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fopenssl-vms.cnf;h=0092a650cb97bfbe687b04e9d5d7f929235ca42d;hb=3cca3e29f9c694585783074ba5fcc90dfd58c1f7;hp=94caf45abb4fd549b9d27aa332c0f377f80dbaee;hpb=39a6a4a707f23992beefc93d99549466857d2b10;p=oweals%2Fopenssl.git

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 94caf45abb..0092a650cb 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
@@ -336,7 +332,6 @@ certs		= $dir.cacert.pem]	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
 signer_digest  = sha256			# Signing digest to use. (Optional)
-
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)