> > Per earlier messages from Steve Henson, the SUB ROOT CA (CN=ATEST5) has
> > "Basic Constraints" with "CA=TRUE", and "Digital Signature, Certificate
> > Sign, CRL Sign".
> >
>
> I can't recall saying the CA certificate needed "digital signature". It
> doesn't but if you sign with user certificates they do.
Hi Steve,
Re. the above, my sincerest apologies.
I got a bit confused (and probably confused you and others) because I've
been working on a couple of different things.
The "earlier messages" that I was referring to was referring to an
different, earlier thread ("Problem working with RSA certs?") where we
had been actually discussing a problem I was having with client certs
not showing up when I was trying to connect to an SSL-enabled server.
After I had gotten that problem resolved (thanks to you), I moved on to
another thing, where I was trying to help get a subordinate CA test
configuration working, and I was having some problems with certs issued
by the subordinate CA.
I was able to get that working on my own, and the problem was that the
subordinate CA cert wasn't being created with the "Basic Constrints",
etc.
It was then, after I was finally able to get the subordinate CA
configured, that I noticed the Basic Constraints not being present in
the root CA cert.
For some reason, I got the two situations (the first problem I ran into
with client certs vs. the second problem that I had with setting up the
sub-CA cert) confused when I posted the initial message in this thread,
so I know I probably really confused you :(!!!
Anyway, re. THIS thread, as I posted previously, I think that I've found
an explanation, i.e., that the root CA cert in the chain doesn't need to
have Basic Constraints.
I'm hoping that this message clarifies things and doesn't make things
more confusing, and again, my apologies.
Yours,
Jim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
