On Tue, Nov 29, 2005, Jos Luis Gmez wrote: > Hello, > unfortunately it did not work. But I think it's not a problem but a > misconfiguration: I've checked my openssl.cnf and I've noticed a > property called nsCertType, which, if not set, means every purpose but > object signing. I think this could be the problem with my user certificates. >
nsCertType is ignored by applications that use windows for its cryptography. > Could it be that my problem? From the screenshots (not included), I see > that the CA certificate is, as explained, taken as valid, but the > personal certificates although linked to the CA, are invalid: "This > certificate issuer entity seems not authorized to issue certificates or > it can not be used as a certificate for a final entity" (sorry, message > actually is in Spanish, that's only a translation). > If you used CA.pl to create the certificates, correctly installed cacert.pem in the trusted root store and imported the PKCS#12 file that shouldn't happen. If there are some invalid certificates in the root store (e.g. a client certificate from a previous attempt) that could cause problems. > In the openssl.cnf file I've also seen other property: CA: which can be > FALSE or TRUE. I've understood that FALSE is for certificates and TRUE > for CA's. But it's under X509v3 properties. Should I convert the > cacert.pem file into x509 format as some howto's suggest? > If cacert.pem is imported into the root store and visible then there's no point in converting it to DER format. Any howto that suggests converting to "x509 format" is more than a little confused. If you still can't get this to work can you send a test PKCS#12 file and its password to me? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
