On Sat, Oct 29, 2005, Cesc wrote:
> Hi,
>
> I am facing a problem it seems this guy from the email above also had, i
> just wonder what is the answer.
>
> My problem is that i want to create a multiple level CA ...
> RootAuthority RA ....
> CertAuthority CAx ...
> Users
>
> Thus, RA signs certs for CAx
> CAx issue certs for users, hostname, etc.
>
> I add the RA (root) cert to the browser, or provide it to the openssl verify
> function.
> The user cert (for bob) contains: bobs cert and CAx cert, thus creating a
> chain.
> * The verify function (For user cert Bob), will fail with:
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> * And the browser (firefox, for example), will not be able to follow up the
> chain and tell that bob's cert is trusted.
>
> The RA cert is issued with CA:true, pathlen:1
> The CAx certs are issued with CA:true, pathlen:0 (only able to sign end user
> certs).
>
> How can i fix this? what is wrong?
> What am i missing?
>
See what you get from this command:
openssl verify -CAfile root.pem -untrusted intermediate.pem -purpose smimesign
usercert.pem
If you get an error include the -issuer_checks debugging option.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
