HI! I want to create a CA hierarchy because I would like to simply transport only one Root CA fingerprint out-of-band to the end entity (e.g. user) but have still different CA policies and private keys. But I have a strange problem with a one-level CA hierarchy and Netscape Communicator: I create a Root CA cert which signs several sub CAs. I took special care of the PKIX relevant X.509v3 extensions for certificate authorities. After all I can download the CA certs into Netscape Communicator (no matter if 4.08, 4.51 or 4.6) and everything seems fine. But: 1. If I download the Root CA cert I am still prompted for accepting the sub CA certs. :-( 2. If I delete the Root CA cert according to "Verify" the sub CA certs are still valid. :-0 After that I checked my CA certs with "openssl verify" and the sub CA certs are not regarded as being valid without the Root CA cert (like self-signed certs). For me it seems that the CA certs are created and issued correctly. Does anybody have a clue what happens? Is Netscape Communicator that buggy? If anybody has the time to look at some sample certificates I will provide them. Maybe I messed up some of the X.509v3 extensions. Ciao, Michael. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
