From f7d7f4e37cc84e0b188b8445009f2ee11d8a250b Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Wed, 6 Oct 2021 13:33:00 +0300
Subject: [PATCH] CA-related extensions should be critical

---
 pygost/asn1schemas/cert-selfsigned-example.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pygost/asn1schemas/cert-selfsigned-example.py b/pygost/asn1schemas/cert-selfsigned-example.py
index df832ba..edce696 100755
--- a/pygost/asn1schemas/cert-selfsigned-example.py
+++ b/pygost/asn1schemas/cert-selfsigned-example.py
@@ -237,10 +237,14 @@ exts = [
 if args.ca:
     exts.append(Extension((
         ("extnID", id_ce_basicConstraints),
-        ("extnValue", OctetString(BasicConstraints((("cA", Boolean(True)),)).encode())),
+        ("critical", Boolean(True)),
+        ("extnValue", OctetString(BasicConstraints((
+            ("cA", Boolean(True)),
+        )).encode())),
     )))
     exts.append(Extension((
         ("extnID", id_ce_keyUsage),
+        ("critical", Boolean(True)),
         ("extnValue", OctetString(KeyUsage(("keyCertSign",)).encode())),
     )))
 if ca_ai is not None:
-- 
2.44.0