I tried to open crt file on different computers and I got different errors:
on Windows 7: The issuer of this certificate could not be found. on Windows 2003: This certificate has an nonvalid digital signature. Do anybody know how I can make the computers to "think" that self-signed "ROOT CA" certificate is valid (trusted) and it is the parent for "SIGNING CA"? Thanks, -- Tanya. On Wed, Feb 16, 2011 at 10:19 PM, <d...@deadhat.com> wrote: > Yes, I used your config files. > > With Windows 2003 (Which is a version of Windows 2000), you don't have > RSA2048 support, so it can't verify the signature. > > However if you verify the signature in openssl, it is fine, since openssl > supports RSA2048. > > E.G.: > [root@dj-desk1 ~]# openssl verify -CAfile root-ca.crt signing-ca.crt > signing-ca.crt: OK > > > >> I use Windows 2003. >> >> Did you try my config files? >> >> Thanks, >> -- >> Tanya. >> >> On Wed, Feb 16, 2011 at 8:15 PM, <d...@deadhat.com> wrote: >>> It worked for me. >>> >>> Are you using Windows XP? Except for a recent update, XP didn't support >>> 2048 RSA. >>> >>> Regards, >>> David >>> >>> >>>> Hi guys, >>>> >>>> I have tried to configure multiple level CA structure: ROOT CA -> >>>> SIGNING CA -> Users certificates >>>> I use RootSSL.cnf file and these commands to generate root certificate: >>>> openssl genrsa -des3 -out root-ca.key 2048 >>>> openssl req -new -x509 -days 3650 -key root-ca.key -out >>>> root-ca.crt >>>> -config RootSSL.cnf >>>> >>>> In order to generate intermediate CA I use OpenSSL.cnf file and these >>>> commands: >>>> openssl genrsa -des3 -out signing-ca.key 2048 >>>> openssl req -new -days 1095 -key signing-ca.key -out >>>> signing-ca.csr >>>> -config openssl.cnf >>>> openssl ca -config openssl.cnf -name CA_root -extensions v3_ca >>>> -out >>>> signing-ca.crt -infiles signing-ca.csr >>>> >>>> As the result I have OK root certificate, but I see error message for >>>> signing certificate: "This certificate has an nonvalid digital >>>> signature." >>>> >>>> Can somebody advise me what I do wrong? >>>> >>>> Thanks, >>>> -- >>>> Tanya Lozovaya. >>>> >>> >>> >> >> >> >> -- >> Tanya Lozovaya. >> > > -- Tanya Lozovaya. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
