Hello,
unfortunately it did not work. But I think it's not a problem but a
misconfiguration: I've checked my openssl.cnf and I've noticed a
property called nsCertType, which, if not set, means every purpose but
object signing. I think this could be the problem with my user certificates.
Could it be that my problem? From the screenshots (not included), I see
that the CA certificate is, as explained, taken as valid, but the
personal certificates although linked to the CA, are invalid: "This
certificate issuer entity seems not authorized to issue certificates or
it can not be used as a certificate for a final entity" (sorry, message
actually is in Spanish, that's only a translation).
In the openssl.cnf file I've also seen other property: CA: which can be
FALSE or TRUE. I've understood that FALSE is for certificates and TRUE
for CA's. But it's under X509v3 properties. Should I convert the
cacert.pem file into x509 format as some howto's suggest?
Kind regards
Jose
Dr. Stephen Henson wrote:
On Mon, Nov 28, 2005, Jos Luis Gmez wrote:
Hello,
I have installed Openssl 0.9.8 in a Linux box. Then I've created my own
CA (CA.sh -newca).
Then, I create a certificate for a Windows machine, with CA.sh -newreq,
then CA.sh -sign to sign it. Then I convert them into PKCS12 format to
export to a Windows 2000 Professional machine. This p12 contains the
personal key and the server certificate:
/usr/local/ssl/misc# openssl pkcs12 -export -in newcert.pem -inkey
newkey.pem -certfile demoCA/cacert.pem -out /tmp/client.p12
(some howtos explain that the key is in newreq.pem, but I've checked
they are actually, at least for this version, in newkey.pem; actually if
I try the former command with newreq.pem it complains about the missing
private key).
Once under Windows, I import the file p12 under Root Certificate
Authorities; Windows 2000 considers valid such CA certificate for all
purposes.
Then, I import the p12 again as it contains the client key, under
Personal certificates. But when I double click in it, it says that the
certificate is invalid or the CA does not have authority to issue
certificates. Hence I cannot use IPSEC with this certificate, as IPSEC
complains of not having any valid certificate.
I've installed previously the High Encription package in Windows 2000
Professional box, so I don't understand the problem. The service pack is
SP4, which, I think, it's the last available version.
Any help?
Don't use CA.sh use CA.pl instead.
Don't import the PKCS#12 file under root authorities. Instead import
cacert.pem and it should be added as a trusted root.
Then when you later import the PKCS#12 file it should verify correctly.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
begin:vcard
fn;quoted-printable:Jos=C3=A9 Luis G=C3=B3mez
n;quoted-printable;quoted-printable:G=C3=B3mez;Jos=C3=A9 Luis
email;internet:[EMAIL PROTECTED]
x-mozilla-html:TRUE
version:2.1
end:vcard
