Am 09.05.2012 15:42, schrieb Bill Cole: > On 9 May 2012, at 9:05, Markus Fritz wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Am 09.05.2012 14:32, schrieb Ken Stevenson: >>>> >>>> I got only this keys. Can you explain me what exactly you mean with >>>> adding chains? >>>> And I wonder why this error only occurs in Thunderbird, not in >>>> openssl. >>>> >>> >>> Never mind, I don't think my first guess was correct. I wonder if it >> has to do with the error 27 reported in the verify by openssl. According >> to the manual, an error 27 means: >>> >>> "the root CA is not marked as trusted for the specified purpose." >>> >>> It looks like the certificate is valid cryptographically, but that it >> wasn't certified for how you're using it. >>> >>> If I run: >>> >>> openssl x509 -in ssl.crt -noout -text >>> >>> The output includes the following: >>> >>> X509v3 Extended Key Usage: >>> TLS Web Server Authentication, TLS Web Client Authentication >>> X509v3 Key Usage: critical >>> Digital Signature, Key Encipherment >>> >>> Does yours look different? >> >> Mine looks like this: >> >> X509v3 Basic Constraints: >> CA:FALSE > > There's your problem. > > If you use a root CA in any X.509 trust chain (even one consisting of > a single self-signed certificate) that declares itself to not be > legitimate for use as a CA, you will have any signed certificates > treated as bogus by any proper X.509v3 implementation. Most tools that > create certificates do so with assumptions suited to the external CA > model, and set options like the Basic Constraints extension flags that > are not fit for a self-signed certificate. > Sorry for my stupid question, but how I can resolve this with a SartSSL signed cert? There I am able to generate a WEB or MIME cert. Thanks for help!
-- Markus Fritz Administration
