Что вызывает предупреждение о базовых ограничениях сертификата?

Я создал самозаверяющий сертификат сервера, используя req -x509команду OpenSSL и файл CONF. Файл CONF показан ниже.

Когда я проверяю сертификат с помощью средства просмотра сертификатов Microsoft, на нем отображается предупреждение basicConstraints(обратите внимание на небольшой восклицательный знак):

Файл CONF использует следующее для построения basicConstraints:

basicConstraints = critical,CA:FALSE 

В соответствии с RFC 5280, то pathLenдолжны присутствовать только если CA:TRUEи keyCertSignприсутствует. Сертификат сервера не удовлетворяет ни одному из условий (плюс, тестирование с pathLenтем же предупреждением).

Почему средство сертификата Microsoft предупреждает basicConstraints? Что не так с этим или что я должен сделать, чтобы это исправить?

# Self Signed (note the addition of -x509): # openssl req -config example.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example.key.pem -days 365 -out example.cert.pem  # Self Signed with existing key (note the addition of -x509): # openssl req -config example.conf -new -x509 -sha256 -key example.key.pem -days 365 -out example.cert.pem  # Signing Request (note the lack of -x509): # openssl req -config example.conf -new -newkey rsa:2048 -nodes -keyout example.key.pem -days 365 -out example.req.pem  # Signing Request with existing key (note the lack of -x509): # openssl req -config example.conf -new -key example.key.pem -days 365 -out example.req.pem  # Print it: # openssl x509 -in example.cert.pem -text -noout # openssl req -in example.req.pem -text -noout  [ req ] default_bits = 2048 default_keyfile = server-key.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only  # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). # Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. [ subject ] countryName = Country Name (2 letter code) countryName_default = US  stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = MD  localityName = Locality Name (eg, city) localityName_default = Baltimore  organizationName = Organization Name (eg, company) organizationName_default =  # Use a friendly name here because its presented to the user. The server's DNS # names are placed in Subject Alternate Names. Plus, DNS names here is deprecated # by both IETF and CA/Browser Forums. commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = Example, LLC  emailAddress = Email Address emailAddress_default = webmaster@example.com  # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ]  subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer  basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate"  # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused extendedKeyUsage = serverAuth  # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ]  subjectKeyIdentifier = hash  basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate"  # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused extendedKeyUsage = serverAuth  [ alternate_names ]  DNS.1 = example.com DNS.2 = www.example.com DNS.3 = mail.example.com DNS.4 = ftp.example.com  # Add these if you need them. But usually you don't want them or # need them in production. You may need them for development. # DNS.5 = localhost # DNS.6 = localhost.localdomain # DNS.7 = 127.0.0.1  # IPv6 localhost # DNS.8 = ::1