Hi all,
although I issued a certificate for an intermediate CA (CA2) with a
pathlength of zero (pathlen:0), I could use this certificate to create
certificates for further CAs (CA3).
Due to pathlen:0 I expected openssl would either cancel creation of sub-CAs
with an error massage or would create normal client certificate instead of
CA certificates.
It seems as if opennssl doesn't consider the restrictions imposed by a
pathlength of zero or the configuration I use is incomplete.
Hope you can help me with this problem
Thanks & Regards
--------- Certificate of CA2 issued by Root CA -----------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4122 (0x101a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=.., ST=............, L=.........., O=......., OU=IT,
CN=CA/emailAddress=c...@testdomain.com
Validity
Not Before: Aug 20 17:02:11 2013 GMT
Not After : May 16 17:02:11 2016 GMT
Subject: C=.., ST=.............., O=........., OU=IT,
CN=CA2/emailAddress=c...@testdomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:d6:80:03:b9:83:a4:fa:8d:54:71:e2:9b:1e:ff:
7a:f5:66:a5:f0:b8:95:fe:52:5c:06:0b:a5:48:8b:
0a:63:62:d4:da:b2:c7:4d:cc:bb:6d:77:eb:d7:e4:
d7:76:be:94:1e:26:75:9a:6c:40:63:99:2d:0c:3f:
95:16:d2:d1:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
5A:E4:98:4B:35:90:FE:F3:1F:9E:30:0E:10:31:1A:52:6E:25:73:B0
X509v3 Authority Key Identifier:
keyid:0B:23:16:B4:6C:94:EE:EE:EF:3C:37:AB:0D:6A:75:9D:F2:6F:2F:27
DirName:/C=../ST=....../L=........./O=........../OU=IT/CN=CA/emailAddress=c...@testdomain.com
serial:EF:FC:FB:59:78:68:80:57
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: sha1WithRSAEncryption
...
----------------------------------------------------------------------
------------- Certificate of CA3 issued by CA2 -----------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4123 (0x101b)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=.., ST=.........., O=........., OU=IT,
CN=CA2/emailAddress=c...@testdomain.com
Validity
Not Before: Aug 20 17:03:18 2013 GMT
Not After : May 16 17:03:18 2016 GMT
Subject: C=.., ST=............., O=........., OU=IT,
CN=CA3/emailAddress=c...@testdomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:fb:d0:13:79:a1:84:78:2b:62:ce:59:ff:3f:f7:
e7:29:c8:82:d1:06:be:88:80:76:38:5d:47:40:b4:
b5:ae:d4:09:fa:3a:01:39:55:d9:d5:50:59:92:8b:
c1:0f:28:1c:2b:a7:f9:25:06:70:2d:03:41:fa:9e:
00:7e:bf:39:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
95:3B:3F:AF:BD:1E:56:0B:46:5E:80:7D:82:8F:97:E1:DC:AC:8B:6D
X509v3 Authority Key Identifier:
keyid:5A:E4:98:4B:35:90:FE:F3:1F:9E:30:0E:10:31:1A:52:6E:25:73:B0
DirName:/C=../ST=.........../L=......./O=....../OU=IT/CN=CA/emailAddress=c...@testdomain.com
serial:10:1A
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: sha1WithRSAEncryption
....
----------------------------------------------------------------------
--
View this message in context:
http://openssl.6102.n7.nabble.com/CA-hierarchy-pathlen-0-tp46248.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
