Have you added the ROOTCA certificate in the trusted root certificate? FEDERICO BERTON AREA SVILUPPO
Via Europa, 20 35015 Galliera Veneta (PD) TEL. 049.9988200 FAX 049.9471337 http://www.trivenet.it -----Messaggio originale----- Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Per conto di Tanya Lozovaya Inviato: giovedì 17 febbraio 2011 09:49 A: d...@deadhat.com; openssl-users@openssl.org Oggetto: Re: Problem with multiple level CA I tried to open crt file on different computers and I got different errors: on Windows 7: The issuer of this certificate could not be found. on Windows 2003: This certificate has an nonvalid digital signature. Do anybody know how I can make the computers to "think" that self-signed "ROOT CA" certificate is valid (trusted) and it is the parent for "SIGNING CA"? Thanks, -- Tanya. On Wed, Feb 16, 2011 at 10:19 PM, <d...@deadhat.com> wrote: > Yes, I used your config files. > > With Windows 2003 (Which is a version of Windows 2000), you don't have > RSA2048 support, so it can't verify the signature. > > However if you verify the signature in openssl, it is fine, since > openssl supports RSA2048. > > E.G.: > [root@dj-desk1 ~]# openssl verify -CAfile root-ca.crt signing-ca.crt > signing-ca.crt: OK > > > >> I use Windows 2003. >> >> Did you try my config files? >> >> Thanks, >> -- >> Tanya. >> >> On Wed, Feb 16, 2011 at 8:15 PM, <d...@deadhat.com> wrote: >>> It worked for me. >>> >>> Are you using Windows XP? Except for a recent update, XP didn't >>> support >>> 2048 RSA. >>> >>> Regards, >>> David >>> >>> >>>> Hi guys, >>>> >>>> I have tried to configure multiple level CA structure: ROOT CA -> >>>> SIGNING CA -> Users certificates I use RootSSL.cnf file and these >>>> commands to generate root certificate: >>>> openssl genrsa -des3 -out root-ca.key 2048 >>>> openssl req -new -x509 -days 3650 -key root-ca.key -out >>>> root-ca.crt -config RootSSL.cnf >>>> >>>> In order to generate intermediate CA I use OpenSSL.cnf file and >>>> these >>>> commands: >>>> openssl genrsa -des3 -out signing-ca.key 2048 >>>> openssl req -new -days 1095 -key signing-ca.key -out >>>> signing-ca.csr -config openssl.cnf >>>> openssl ca -config openssl.cnf -name CA_root -extensions >>>> v3_ca -out signing-ca.crt -infiles signing-ca.csr >>>> >>>> As the result I have OK root certificate, but I see error message >>>> for signing certificate: "This certificate has an nonvalid digital >>>> signature." >>>> >>>> Can somebody advise me what I do wrong? >>>> >>>> Thanks, >>>> -- >>>> Tanya Lozovaya. >>>> >>> >>> >> >> >> >> -- >> Tanya Lozovaya. >> > > -- Tanya Lozovaya. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
