Don't forget Path Length. -Kyle H
On 12/28/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Thu, Dec 28, 2006, Aaron Barnes wrote: > Yes I did. I had to install that yesterday also in order for the > subordinate to trust the root. > > I was reading on the web site (specifically on this web page: > http://www.openssl.org/docs/apps/x509v3_config.html# ) It would seem to > indicate one should modify the basicConstraints lines in the openssl.cnf > file, but again I am not terribly familiar with this option. The only > things I have modified in my openssl.cnf file so far are the lines to > include email address, location, directory structure , changed policy > fields to optional, and the key size. > > If I am understanding this correctly, the OpenSSL root issued the > certificate as a simple 'machine' cert, not as a subordinate CA. Am I > on the right track? > If you used the CA.pl script to generate the certificates it should just "do the right thing". The standard openssl.cnf has some sensible defaults which should suit most purposes. That includes using basicConstraints for a CA certificate. If you've used other commands (all manner of weird stuff is recommended by some cookbooks) then the certificates may not suit your purpose. If you do: openssl x509 -in cert.pem -text -noout you should see the basicConstraints extension. It must have CA:TRUE for both the root CA and the subordinate. If that doesn't help just post (or mail me privately) with the two certificates you have created. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
-- -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
