I have gone through multiple questions but still I am confused. RFC X.509 also does not clarify it.
Conforming CAs MUST include this extension in certificates that
contain public keys that are used to validate digital signatures on
other public key certificates or CRLs. When present, conforming CAs
SHOULD mark this extension as critical.
Does it mean Self signed ROOT CA should have Key Usage extension in it? We do not have it in our released ROOT Certificate but we want to avoid any issues in the future if applications started declining the certificates without having Key Usage extension. If RFC mandates it then we want to update our Root Certificates with Key Usage and if not then we are going to keep it as is.
