Christian Stock schrieb:
A wild guess: Maybe the extension "basicConstraints = CA:true" is not included in your extensions section?Hello,I have the following problem: I want to create a server key for a web-Service-Server (Soap-Server). To access this web service I use the Internet Explorer API (WinInet). This certificate should be built from a Self-Signed-Root-Certificate which I've also created. Then I add this CA-certificate to Internet Explorer's Certificate Manager in "Trusted Root Certification Authorities". Now all connections to the web service should be automatically accepted, right? - They are accepted if I have created my Root CA in this way: openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650 - But if I create my Root CA like this:openssl req -new -keyout cakey.pem -out careq.pem +openssl ca -create_serial -out cacert.pem -days 3650 -batch -keyfile cakey.pem -selfsign -infiles careq.pem Here all Certificates built from this CA were automatically rejected by Internet Explorer if I add the Root-CA to "Trusted Root Certificate Authorities" Can anybody tell me what's the difference between this certificate creation methods? In the OpenSSL-Howto certificates.txt is listed that the first way should only used for test certificates. It may not be the recommended way to create a root ca. The reason should be descibed in a file "ca.txt", but I do not find such a documentation. Thanks a lot, I hope you can help me so I can understand this regards Chris
Have a look at the extensions section [ v3_ca ] in the default openssl config file (http://cvs.openssl.org/getfile/openssl/apps/openssl.cnf?v=1.23.2.5). If you are using the default openssl.cfg try adding the parameter "-extensions v3_ca" to your openssl ca call.
If this does not help, you should consider posting your generated certificate so I (or someone else) could have a closer look at it. And maybe add the configfile which is used by openssl ca.
Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
