Federico, thank for quick answer. I'm still not sure if it is necessary to install ROOT CA on all users computers.
I generated user certificate with such commands: openssl req -newkey rsa:1024 -keyout user.key -config openssl.cnf -out user.req openssl ca -config openssl.cnf -out user.crt -infiles user.req And then I tried to generate pfx file with chaon (as i understand in this case user will not need to install ROOT CA because this certificate will be included into user's certificate). But I got an error: C:\temp\CA_NEW2>cs12 -export -chain -in user.crt -inkey user.key -certfile CondorSigningCA/signing-ca.crt -out user.pfx Loading 'screen' into random state - done Enter pass phrase for user.key: Error unable to get local issuer certificate getting chain. Or in any case I need to install ROOT CA certificate and then user certificate on any user's computer? thanks, -- Tanya. On Thu, Feb 17, 2011 at 11:40 AM, Federico Berton <federico.ber...@trivenet.it> wrote: > Yes, regardless of the OS because it needs to know that you approve that your > home-made ROOT CA is credible. > > > FEDERICO BERTON > AREA SVILUPPO > > Via Europa, 20 > 35015 Galliera Veneta (PD) > TEL. 049.9988200 FAX 049.9471337 > http://www.trivenet.it > > > -----Messaggio originale----- > Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] > Per conto di Tanya Lozovaya > Inviato: giovedì 17 febbraio 2011 10:25 > A: openssl-users@openssl.org > Cc: Federico Berton > Oggetto: Re: Problem with multiple level CA > > No, should I? > If I'm going to generate user keys-certificates that will be signed by > SIGNING CA certificate, should I force all users to install ROOT CA as > trusted certificate? > > On Thu, Feb 17, 2011 at 11:08 AM, Federico Berton > <federico.ber...@trivenet.it> wrote: >> Have you added the ROOTCA certificate in the trusted root certificate? >> >> FEDERICO BERTON >> AREA SVILUPPO >> >> Via Europa, 20 >> 35015 Galliera Veneta (PD) >> TEL. 049.9988200 FAX 049.9471337 >> http://www.trivenet.it >> >> >> -----Messaggio originale----- >> Da: owner-openssl-us...@openssl.org >> [mailto:owner-openssl-us...@openssl.org] Per conto di Tanya Lozovaya >> Inviato: giovedì 17 febbraio 2011 09:49 >> A: d...@deadhat.com; openssl-users@openssl.org >> Oggetto: Re: Problem with multiple level CA >> >> I tried to open crt file on different computers and I got different errors: >> >> on Windows 7: The issuer of this certificate could not be found. >> on Windows 2003: This certificate has an nonvalid digital signature. >> >> Do anybody know how I can make the computers to "think" that self-signed >> "ROOT CA" certificate is valid (trusted) and it is the parent for "SIGNING >> CA"? >> >> Thanks, >> -- >> Tanya. >> >> On Wed, Feb 16, 2011 at 10:19 PM, <d...@deadhat.com> wrote: >>> Yes, I used your config files. >>> >>> With Windows 2003 (Which is a version of Windows 2000), you don't >>> have >>> RSA2048 support, so it can't verify the signature. >>> >>> However if you verify the signature in openssl, it is fine, since >>> openssl supports RSA2048. >>> >>> E.G.: >>> [root@dj-desk1 ~]# openssl verify -CAfile root-ca.crt signing-ca.crt >>> signing-ca.crt: OK >>> >>> >>> >>>> I use Windows 2003. >>>> >>>> Did you try my config files? >>>> >>>> Thanks, >>>> -- >>>> Tanya. >>>> >>>> On Wed, Feb 16, 2011 at 8:15 PM, <d...@deadhat.com> wrote: >>>>> It worked for me. >>>>> >>>>> Are you using Windows XP? Except for a recent update, XP didn't >>>>> support >>>>> 2048 RSA. >>>>> >>>>> Regards, >>>>> David >>>>> >>>>> >>>>>> Hi guys, >>>>>> >>>>>> I have tried to configure multiple level CA structure: ROOT CA -> >>>>>> SIGNING CA -> Users certificates I use RootSSL.cnf file and these >>>>>> commands to generate root certificate: >>>>>> openssl genrsa -des3 -out root-ca.key 2048 >>>>>> openssl req -new -x509 -days 3650 -key root-ca.key -out >>>>>> root-ca.crt -config RootSSL.cnf >>>>>> >>>>>> In order to generate intermediate CA I use OpenSSL.cnf file and >>>>>> these >>>>>> commands: >>>>>> openssl genrsa -des3 -out signing-ca.key 2048 >>>>>> openssl req -new -days 1095 -key signing-ca.key -out >>>>>> signing-ca.csr -config openssl.cnf >>>>>> openssl ca -config openssl.cnf -name CA_root -extensions >>>>>> v3_ca -out signing-ca.crt -infiles signing-ca.csr >>>>>> >>>>>> As the result I have OK root certificate, but I see error message >>>>>> for signing certificate: "This certificate has an nonvalid digital >>>>>> signature." >>>>>> >>>>>> Can somebody advise me what I do wrong? >>>>>> >>>>>> Thanks, >>>>>> -- >>>>>> Tanya Lozovaya. >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Tanya Lozovaya. >>>> >>> >>> >> >> >> >> -- >> Tanya Lozovaya. >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > > > > -- > Tanya Lozovaya. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Tanya Lozovaya. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
