Dean Lin wrote: > > Dear All. > > I'm newbie on openssl. > I have two CAs on different server. > one is root CA and open is intermedia CA. > I try to intermedia CA will sign by root CA. > > The following step is I try to sign it. > > 1. > In root CA. > openssl genrsa -des3 -out ca.key 1024 -rand random-bits > openssl req -new -days 3650 -config ca.config -key ca.key -out ca.crt > > 2. > In intermedia CA > openssl genrsa -des3 -out ca.key 1024 -rand random-bits > openssl req -new -days 3650 -config ca2.config -key ca2.key -out ca2.csr > > 3. > In root CA > openssl ca -config ca.config -out ca2.crt -infiles ca2.csr > > 4. > In intermedia CA > openssl genrsa -out dean.key 1024 > openssl req -new -config ca.config -key dean.key -out dean.csr > openssl ca -config ca.config -out dean.crt -infiles ca.csr > > Then I got error message: > Certificate is to be certified until Dec 15 12:37:59 2001 GMT (365 days) > 21707:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get > issuer k > eyid:v3_akey.c:210: > 21707:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in > extension:v3_conf > .c:91:name=authorityKeyIdentifier, value=keyid:always > > How to I set up authorityKeyIdentifier ? > It looks like you've modified the default configuration files to get that error. It gets authorityKeyIdentifier's keyid option from the subjectKeyIdentifier of the issuers certificate and by using the "always" option it will produce an error if it fails. Therefore you should edit the configuration file for the issuers certificate so it adds subjectKeyIdentifier and recreate it. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
