Problems creating valid signing certificats

Wed, 06 Feb 2013 15:36:19 -0800 

Hi,

I am trying to create a certificate chain that I intend to use for signing 
SSL/TLS host certificates. The chain consists of a self-signed 
root certificate, and an intermediate certificate which will be used to sign 
the actual server certificates.

The root certificate looks like this:

bash-4.0$ openssl x509 -noout -text -nameopt oneline,-esc_msb,utf8 -certopt 
no_pubkey,no_sigdump -purpose -in 
cacert/root_ca.pemCertificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = 
Network Administration, CN = Köller Family Root Signing 
Certificate
        Validity
            Not Before: Feb  6 00:03:53 2013 GMT
            Not After : Jun  6 00:03:53 2060 GMT
        Subject: C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = 
Network Administration, CN = Köller Family Root Signing 
Certificate
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Key Usage: critical
                Certificate Sign
Trusted Uses:
  TLS Web Client Authentication, TLS Web Server Authentication, E-mail 
Protection
No Rejected Uses.
Alias: Root Signing Certificate
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : No
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes

And here is the intermediate certificate:

bash-4.0$ openssl x509 -noout -text -nameopt oneline,-esc_msb,utf8 -certopt 
no_pubkey,no_sigdump -purpose -in cacert/host_ca.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = 
Network Administration, CN = Köller Family Root Signing 
Certificate
        Validity
            Not Before: Feb  6 00:03:53 2013 GMT
            Not After : Jun  5 23:59:59 2059 GMT
        Subject: C = DE, ST = Hamburg, O = Köller Family, OU = Köller Family 
Certification Authority, CN = Köller Family Host Signing 
Certificate
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes

To me, this looks just as I would expect, however, if I try to validate the 
chain, I get an error message:

bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose 
sslserver cacert/host_ca.pem
cacert/host_ca.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU = 
K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller Family 
Host Signing Certificate
error 26 at 0 depth lookup:unsupported certificate purpose
OK

Can anybody tell why I am getting this error, and what I should do about it?

Thanks,
Thomas
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to