Wonderful! I redid the root CA setup using ca.pl, modified the openssl.cnf file to CA:TRUE in the v3_ca section, and signed the subordinate request using the previous command: (ca -config /path/openssl.cnf -out thecertificate.pem -in requestfile.req -extensions v3_ca). I imported the the pem file for the subordinate, and also the root cert, and the Windows services started up just fine. I was also able to verify its functionality by requesting some user certs from it.
Is there much difference between signing with the openssl command above and the ca.pl perl script? It seems to me it is mainly helpful for automating the process. One last question if you don't mind. I noticed the keysize for my subordinate is 1024 bits. Where can I indicate the keysize when signing the request? In the openssl.cnf file I used, I have 4096 listed in the req section, but does this need to be placed elsewhere? It didn't work when I placed it in the v3_ca section. Thanks, Aaron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, December 28, 2006 15:47 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates Yes the root CA has basicConstraints CA:FALSE on it which is causing the error. I'd suggest you redo the root CA and the subordinate using CA.pl: CA.sh is an older script that isn't maintained any more. The command CA.pl -signCA automatically signs a request as a CA instead of an end entity cert. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
