Noor Haizad Mohd Said wrote:
>
> Dear Marat,
>
> I also faced a problem same as you. I want to issue CA cert by signing a request
>generated by Windows2000. I also tried to cross certify their CA certificate.Both of
>them are failed.
> The reasons that might happens are:-
>
> 1) For generating a certificate by signing W2000 request, the certificate is
>succesfully created. But, the certificate must contain CRL Distributions and CA
>Version fields. CA
> Version oid is important because it is being used as a reference in the W2000 Cert
>Services. Please refer to W2000 Certificate Services.
>
> 2) To cross certify their CA cert., the Subject Key Identifier must be retreived
>correctly. I used different engine to cross certify W2000 CA cert. It was failed.
>
> I hope this can give you some guidance. Maybe somebody can gives some answers for
>these matters.
>
Well if you're signing a CA certificate you have to ensure you are using
the correct extensions. By default the OpenSSL utilities sign an end
user certificate so that's one thing to watch out for.
Wrt unsupported extensions, are they present in the certificate request?
If so then the latest development release of OpenSSL's 'ca' utility has
some options which will copy extensions from a request to the signed
certificate. Even if they aren't supported this will still work if they
are in the request.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
