Thank you both for your responses.
I changed to cross-certifying at the root and it worked as expected.
However, cross-certification doesn't have to be at the root, going by
RFC 4949's definition. Neither do any of my text books on the subject
state that it has to be at the root CA level.
N
> On Dec 31, 2015, at 12:55 PM, Jakob Bohm wrote:
>
>> You're not supposed to create two different untrusted intermediate
>> certificates, include both and hope for a good outcome. OpenSSL
>> does not try all possible untrusted intermediates at every depth
>> in the chain, that has exponential
On 31/12/2015 18:12, Viktor Dukhovni wrote:
On Thu, Dec 31, 2015 at 04:56:08PM +, Gareth Williams wrote:
I now try to cross-certify by adding another Root CA (Example Root CA) and
use that to sign the original Gareth Williams Policy CA certificate signing
request, then add this new certific
On Thu, Dec 31, 2015 at 04:56:08PM +, Gareth Williams wrote:
> I now try to cross-certify by adding another Root CA (Example Root CA) and
> use that to sign the original Gareth Williams Policy CA certificate signing
> request, then add this new certificate to the chain.crt file:
>
> Gareth Wi
Hi,
I've just installed openssl version 1.1.0-pre2-dev in my home directory
on a Fedora box in order to see the new alt chain building in operation.
I'm testing this in a lab environment by initially generating a straight
hierarchy of root CA, policy CA, issuing CA and end-entity (a web
serv
