From 499ce83c85d14dd8cbc52f6431e775f1d00578d6 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 22 Apr 2025 13:09:32 -0400
Subject: [PATCH 7/7] Ensure 'critical' basicConstraint for CA cert

Fixes: https://github.com/sgallagher/sscg/issues/74

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
 src/authority.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/authority.c b/src/authority.c
index af60e1a93023c32e3fdf6da920fba4464256ed81..044c62f5192e75a9f7d3f49616f852a97da7505a 100644
--- a/src/authority.c
+++ b/src/authority.c
@@ -89,7 +89,8 @@ create_private_CA (TALLOC_CTX *mem_ctx,
   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
 
   /* Mark it as a CA */
-  ex = X509V3_EXT_conf_nid (NULL, NULL, NID_basic_constraints, "CA:TRUE");
+  ex = X509V3_EXT_conf_nid (
+    NULL, NULL, NID_basic_constraints, "critical,CA:TRUE");
   CHECK_MEM (ex);
   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
 
-- 
2.49.0