On Sat, Mar 05, 2005, ohaya wrote: > Hi, > > > Per earlier messages from Steve Henson, the SUB ROOT CA (CN=ATEST5) has > "Basic Constraints" with "CA=TRUE", and "Digital Signature, Certificate > Sign, CRL Sign". >
I can't recall saying the CA certificate needed "digital signature". It doesn't but if you sign with user certificates they do. > However, I noticed that the ROOT CA (CN=ATEST4) certificate doesn't have > any of these extensions (e.g., "CA=TRUE", etc.), and yet, it was able to > re-sign the SUB ROOT CA (CN=ATEST5) certificate, and the SUB ROOT CA > seems to be able to issue proper end user certs. > > The questions that I have are: > > 1) Do both of these CA certs look "all right"? > > 2) Does the ROOT CA cert look "all right" for a CA certificate, i.e., > does it look like a valid ROOT CA certificate? > The standards don't actually say much about the root CA at present. However it should really have those extensions. It is also a V1 and not a V3 certificate. This might be because you are following one of the old or inaccurate guides or even the odd book that gives incorrect instructions. If you use either the CA.pl script or 'openssl req -x509' it will use the correct extensions for a CA. If you just use the 'x509' utility you need to tell it what extension section to use on the command line. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
