Self-signed certificates do not default to CAs

[monnerat]

If no template (or the empty template) is applied when creating a self-signed certificate, it does not include CA:TRUE in extensions.
IMHO this extension should be preset automatically for self-signed certificates, as this is done by the openssl req -x509 command default configuration.

[chris2511]

I don't like this implicit behavior.

1. If you want a certificate without extensions, you'll get it.
2. For self-signed HTTPS server certificates, the CA:TRUE is not the best choice.

What may be a good help for inexperienced users and a safety net for the hasty ones:
Check the Basic Constraints when clicking OK. Warn if they are undefined while proposing to apply the extensions of one of the default templates and allow to continue the rollout without basic constraints or get back to the input fields to configure them.
There are already a lot of such sanity-checks in NewX509::accept() and this would be another one.

[monnerat]

This was just a suggestion, but the warning you describe is also a good idea :-)
Xca is so complete it is not always evident (although there are already many gard rails) for a beginner that needs a simple certificate to chose the proper options.

For self-signed HTTPS server certificates, the CA:TRUE is not the best choice.

Well... AFAICR, I have seen long ago (but I don't remember where) a cert chain checking code that always requires a signer to be a CA, even for a single self-signed cert.

[monnerat]

Tested: OK
Thanks.

Since there are additional messages, please feel free to ask me if you want another translation round before release.