Re: Certificate Hierarchy

Sun, 30 Oct 2005 06:05:03 -0800

See below ...

On 10/29/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Sat, Oct 29, 2005, Cesc wrote:

> Hi,
>
> I am facing a problem it seems this guy from the email above also had, i
> just wonder what is the answer.
>
> My problem is that i want to create a multiple level CA ...
> RootAuthority RA ....
> CertAuthority CAx ...
> Users
>
> Thus, RA signs certs for CAx
> CAx issue certs for users, hostname, etc.
>
> I add the RA (root) cert to the browser, or provide it to the openssl verify
> function.
> The user cert (for bob) contains: bobs cert and CAx cert, thus creating a
> chain.
> * The verify function (For user cert Bob), will fail with:
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> * And the browser (firefox, for example), will not be able to follow up the
> chain and tell that bob's cert is trusted.
>
> The RA cert is issued with CA:true, pathlen:1
> The CAx certs are issued with CA:true, pathlen:0 (only able to sign end user
> certs).
>
> How can i fix this? what is wrong?
> What am i missing?
>

See what you get from this command:

openssl verify -CAfile root.pem -untrusted intermediate.pem -purpose smimesign
                                        usercert.pem

Used this way, it gives an OK. 

If you get an error include the -issuer_checks debugging option.

Adding this debug option, i thought it may be interesting to show the output ... here it is:
error 29 at 0 depth lookup:subject issuer mismatch

I checked, and the issuer at the usercert.pem and subject at the intermediate.pem cert are exactly the same ... i include the section from the .conf file for intermediate CA (the V3 extensions added to usercert.pem).

[ rootca_extensions_user_cert ]
basicConstraints    = CA:false
nsComment     = "Comment ..."
subjectKeyIdentifier    = hash
authorityKeyIdentifier    = keyid,issuer:always
issuerAltName         = issuer:copy
nsBaseUrl    = http://www.mywebpage1234.com

Any way, does all this have to do with the usercert.pem cert not being recognized as valid by browsers? I want to distribute the root.pem cert ... then provide to users the cert chain file (first usercert.pem and second in file, intermediate.pem cert). Is this correct?

Should the root.pem or intermediate.pem certs contain some kind of key usage value? if so, which? root.pem is only to be used to signs intermediate CA certs; intermediate CA certs are to sign certs for users and hostnames (acting either as clients or servers, or both at the same time).

Regards,

Cesc



Reply via email to