Device Certificate - basicConstraints extension CA flag

Hi!

 

Does anyone know why the device self signed certificate have the "basicConstraints extension CA flag" set to TRUE. According to Openssl "If the CA flag is true then it is a CA", but why is it needed? Is there any functionality that requires the device certificate to have it? If we generate a new device certificate do we need to have the CA flag set to true?

 

According to SOL9114, it doesn't look like the CA flag is set in there example. See below.

 

For example, the following command creates a 2048 bit SSL private key and a self-signed certificate that is valid for one year: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /config/httpd/conf/ssl.key/server.key -out /config/httpd/conf/ssl.crt/server.crt

 

/Riad