I am facing a problem it seems this guy from the email above also had, i just wonder what is the answer.
My problem is that i want to create a multiple level CA ...
RootAuthority RA ....
CertAuthority CAx ...
Users
Thus, RA signs certs for CAx
CAx issue certs for users, hostname, etc.
I add the RA (root) cert to the browser, or provide it to the openssl verify function.
The user cert (for bob) contains: bobs cert and CAx cert, thus creating a chain.
* The verify function (For user cert Bob), will fail with:
error 20 at 0 depth lookup:unable to get local issuer certificate
* And the browser (firefox, for example), will not be able to follow up the chain and tell that bob's cert is trusted.
The RA cert is issued with CA:true, pathlen:1
The CAx certs are issued with CA:true, pathlen:0 (only able to sign end user certs).
How can i fix this? what is wrong?
What am i missing?
Tks in advance,
Cesc
On 6/20/05, David Busby <[EMAIL PROTECTED]> wrote:
Gurus,
Two questions (perhasp I should have split this)
#1 When I look at Thawte or VeriSign certs that a server has there is a heirichy, Thawte then Me or VeriSign then Me.
Well I made my on CA and signed some certs but they don't have the heirichy like the commercial ones. What gives? Do I
need to make a root CA, then another CA signed by root then sign the certs with the second one?
/djb
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
