We have such kind of certificate being used for developing purposes
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:domain1.loc, DNS:domain2.loc
I see CA:TRUE here and because of that I am not sure whether it is safe to install this certificate in OSX keychain as trusted one or not (assuming that almost anybody has access to its private key). I do not see certificate signing in "Key Usage" section, but CA:TRUE makes me a little bit nervous. Is it safe to trust this certificate?
If the private key is widely known, it is a bad idea to trust the certificate for any purpose, regardless of the particulars of the certificate.
Concerning the assertion of CA:TRUE in the Basic Constraints extension without the assertion of keyCertSign in the Key Usage extension, RFC 5280 has this to say:
If the keyUsage extension is present, then the subject public key MUST NOT be used to verify signatures on certificates or CRLs unless the corresponding keyCertSign or cRLSign bit is set.
So, a conformant implementation will not use this certificate for verifying signatures on certificates. However, what the OS X implementation actually does may deviate from RFC 5280, particularly if the certificate is explicitly marked as trusted in the Keychain. (I do not use OS X so I cannot verify).