I cannot speak to the specific requirements of iplanet enterprise but I can say that I am generating V3 certificates with openssl. I believe if you request certificate extensions it generates V3 certificates (since the extension mechanism itself was added in the V3 revision) so why don't you try requesting extensions like
basicConstraints = CA:false authorityKeyIdentifier = keyid:always,issuer:always subjectKeyIdentifier = hash in the request. There is a document called something like openssl.txt in the documentation directory that I found very useful for this, as well as a good thorough reading of the sample openssl.conf file that is distributed with the openssl package. In understanding what is going on at a high level I found reading the PKIX documents, specifically the profile document, very useful. wen ding wrote: > I try to use openssl to issue and manage certificates for internal usage. > I generated CA ROOT certificate with utility from openssl and issued server > certificate signed by the CA ROOT. The server certificate and CA ROOT worked > very well with iplanet fasttrack 4.1, a early version web server from sun. > After that I tried to use it with iplanet enterprise 5.5, the server > certificate can be installed sucessfully. But the CA ROOT certificate can be > recognized by iplanet enterprise 5.5, but when I tried to add it, the system > failed with the message: > "Incorrect Usage:Invalid certificate > The server could not import one of the certificates". > I found all ROOT CA from commerical CA can cooperate well with iplanet > enterprise and in version field of all certificates from commericial CA 'V3' > indicates that X509 version 3. In all certificates issued from openssl, the > version field is filled with 'V1'. There are also other differences, such as > fields "issuing organization key id" and "subject key id" do not exist in > certificates from openssl. > Besides the problem as stated above, the crl generated from openssl either > can not work under iplanet enterprise and its version is also 'V1' while > revocation list from commericial product is 'V3'. -- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
