Hi there: > > Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and > $CAPREFIX it_root_ca.key (PKI private key) . > but here's what I get : > > [pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca] > $ openssl x509 -set_serial 01 -clrext -extfile openssl.cnf -days 3650 > -CA it_root_ca.key -CAkey it_root_ca.key -in it_root_ca.crt -out > it_root_ca2.crt
The simplest way to do this is: openssl x509 -signkey it_root_ca.key -in it_root_ca.crt -clrext -out it_root_ca2.pem -days 3650 -set_serial 01 -extfile openssl.cnf -extensions your_new_ca_extensions Now, what are the contents of your openssl.cnf: You SHOULD (for a Root CA) have a section something similar to: [your_new_ca_extensions] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = critical,CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign That's it, that's all. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
