I think I see what you're getting at now. I reviewed the text of the root and the subordinate certs; the root does NOT have the CA:TRUE (false obviously), the subordinate does have CA:TRUE. So I guess this tells me I must have installed the root CA incorrectly.
I didn't use CA.pl, but rather CA.sh. I'll list each step I did to set up OpenSSL and the root. 1. ./config 2. make 3. make test 4. make install 5. ./CA.sh -newca 6. ./CA.sh -sign It sounds like I'll probably need to redo the root setup, but let me know if there is an adjustment I need to make based on how many tiers I want to set up in the overall PKI. I'll also email you copies of the certificates separately. Aaron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, December 28, 2006 12:34 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates If you used the CA.pl script to generate the certificates it should just "do the right thing". The standard openssl.cnf has some sensible defaults which should suit most purposes. That includes using basicConstraints for a CA certificate. If you've used other commands (all manner of weird stuff is recommended by some cookbooks) then the certificates may not suit your purpose. If you do: openssl x509 -in cert.pem -text -noout you should see the basicConstraints extension. It must have CA:TRUE for both the root CA and the subordinate. If that doesn't help just post (or mail me privately) with the two certificates you have created. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
