Let me see if I understand what your saying?
I need to generate another CA certificate the has only ssl client set yes?
This does not make sense especially if you read the extension section in the openssl.cnf file [ usr_cert ] which specifies that upon signing you can change the purpose of the certificate being signed.
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
"# For normal client use this is typical # nsCertType = client, email"
It would appear that this is where you tell the CA upon signing add the type. The problem is by default is adds almost everything accept CA ability which is turned off by basicConstriants. So if what is written above is true then how to you remove types?
I'm sure that I don't have all the facts here, but there are a bit confusing..
Have a look at your openssl.cnf file, its all defined in there.
HTH Michael
smime.p7s
Description: S/MIME Cryptographic Signature
