No, should I? If I'm going to generate user keys-certificates that will be signed by SIGNING CA certificate, should I force all users to install ROOT CA as trusted certificate?
On Thu, Feb 17, 2011 at 11:08 AM, Federico Berton <federico.ber...@trivenet.it> wrote: > Have you added the ROOTCA certificate in the trusted root certificate? > > FEDERICO BERTON > AREA SVILUPPO > > Via Europa, 20 > 35015 Galliera Veneta (PD) > TEL. 049.9988200 FAX 049.9471337 > http://www.trivenet.it > > > -----Messaggio originale----- > Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] > Per conto di Tanya Lozovaya > Inviato: giovedì 17 febbraio 2011 09:49 > A: d...@deadhat.com; openssl-users@openssl.org > Oggetto: Re: Problem with multiple level CA > > I tried to open crt file on different computers and I got different errors: > > on Windows 7: The issuer of this certificate could not be found. > on Windows 2003: This certificate has an nonvalid digital signature. > > Do anybody know how I can make the computers to "think" that self-signed > "ROOT CA" certificate is valid (trusted) and it is the parent for "SIGNING > CA"? > > Thanks, > -- > Tanya. > > On Wed, Feb 16, 2011 at 10:19 PM, <d...@deadhat.com> wrote: >> Yes, I used your config files. >> >> With Windows 2003 (Which is a version of Windows 2000), you don't have >> RSA2048 support, so it can't verify the signature. >> >> However if you verify the signature in openssl, it is fine, since >> openssl supports RSA2048. >> >> E.G.: >> [root@dj-desk1 ~]# openssl verify -CAfile root-ca.crt signing-ca.crt >> signing-ca.crt: OK >> >> >> >>> I use Windows 2003. >>> >>> Did you try my config files? >>> >>> Thanks, >>> -- >>> Tanya. >>> >>> On Wed, Feb 16, 2011 at 8:15 PM, <d...@deadhat.com> wrote: >>>> It worked for me. >>>> >>>> Are you using Windows XP? Except for a recent update, XP didn't >>>> support >>>> 2048 RSA. >>>> >>>> Regards, >>>> David >>>> >>>> >>>>> Hi guys, >>>>> >>>>> I have tried to configure multiple level CA structure: ROOT CA -> >>>>> SIGNING CA -> Users certificates I use RootSSL.cnf file and these >>>>> commands to generate root certificate: >>>>> openssl genrsa -des3 -out root-ca.key 2048 >>>>> openssl req -new -x509 -days 3650 -key root-ca.key -out >>>>> root-ca.crt -config RootSSL.cnf >>>>> >>>>> In order to generate intermediate CA I use OpenSSL.cnf file and >>>>> these >>>>> commands: >>>>> openssl genrsa -des3 -out signing-ca.key 2048 >>>>> openssl req -new -days 1095 -key signing-ca.key -out >>>>> signing-ca.csr -config openssl.cnf >>>>> openssl ca -config openssl.cnf -name CA_root -extensions >>>>> v3_ca -out signing-ca.crt -infiles signing-ca.csr >>>>> >>>>> As the result I have OK root certificate, but I see error message >>>>> for signing certificate: "This certificate has an nonvalid digital >>>>> signature." >>>>> >>>>> Can somebody advise me what I do wrong? >>>>> >>>>> Thanks, >>>>> -- >>>>> Tanya Lozovaya. >>>>> >>>> >>>> >>> >>> >>> >>> -- >>> Tanya Lozovaya. >>> >> >> > > > > -- > Tanya Lozovaya. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Tanya Lozovaya. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
