Hi,
Dynamic CRL not working when signed by intermediate CA when ca-file (Trusted CA
certs bundle) includes only the intermediate CA that signed the CRL.
Causing to this the handshake is failing, is there a way to avoid in OpenSSL
1.0.2s-fips 28 May 2019?
Br, Malli
And I am one of those who appreciates very much your
explanations/clarifications for a long time.
Thank you again Michael.
> [...]
> And here on the openssl-users list there are people with widely varying
> experience with and understanding of these matters;
> [...]
> So it's useful to try to b
> From: Michael Leone [mailto:tur...@mike-leone.com]
> Sent: Wednesday, February 12, 2020 16:09
>
> On Wed, Feb 12, 2020 at 4:19 PM Michael Wojcik
> wrote:
> >
> > the infamous "The OSI of a New Generation" presentation
>
> I'm not sure how "infamous" it is, as I've never heard of it, even in
> pa
On Wed, Feb 12, 2020 at 4:19 PM Michael Wojcik
wrote:
>
> > From: Michael Leone [mailto:tur...@mike-leone.com]
> > Sent: Wednesday, February 12, 2020 12:35
>
> > Even though I used what might be the wrong terms, I'm sure you knew what I
> > meant ...
>
> Sure. But PKIX, and X.509-based PKI more g
> From: Michael Leone [mailto:tur...@mike-leone.com]
> Sent: Wednesday, February 12, 2020 12:35
> Even though I used what might be the wrong terms, I'm sure you knew what I
> meant ...
Sure. But PKIX, and X.509-based PKI more generally, are - not to mince words -
horrible. They're agonizingly c
root CA. What I am planning on doing, is creating a Windows
>> intermediate CA, and using that to sign all my internal requests.
>> But before I do that, I have a couple of questions.
>>
>> I have the steps to install the certificate services in AD, and
>>
On Wed, Feb 12, 2020 at 2:22 PM Michael Wojcik <
michael.woj...@microfocus.com> wrote:
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Michael Leone
> > Sent: Wednesday, February 12, 2020 11:59
>
> > ... the only CA I have is the root, so that is what I will be si
> From: Michael Leone [mailto:tur...@mike-leone.com]
> Sent: Wednesday, February 12, 2020 12:10
> > Here's the config section I use for my test intermediate certificate:
> > [ v3_intermediate_ca ]
> > authorityKeyIdentifier = keyid:always,issuer
> > # pathlen:0 means these certs can only sign non
ifferent for an intermediate
> CA than for a regular (I guess the term is "End Entity") certificate?
Intermediate *certificate*, not "CA".
The command per se isn't necessarily different. What's different is what
extensions are present in the certificate, per my other not
On Wed, Feb 12, 2020 at 1:16 PM Michael Wojcik <
michael.woj...@microfocus.com> wrote:
> Terminological note: "Windows intermediate CA" isn't really a meaningful
> phrase. There's nothing OS-specific about a CA. What you're creating is a
> Windows-hoste
On Wed, Feb 12, 2020 at 1:24 PM Karl Denninger wrote:
> On 2/12/2020 11:32, Michael Leone wrote:
>
> So we are mostly a MS Windows shop. But I use a Linux openssl as my root
> CA. What I am planning on doing, is creating a Windows intermediate CA, and
> using that to sign
On 2/12/2020 11:32, Michael Leone wrote:
> So we are mostly a MS Windows shop. But I use a Linux openssl as my
> root CA. What I am planning on doing, is creating a Windows
> intermediate CA, and using that to sign all my internal requests. But
> before I do that, I have a couple
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Michael Leone
> Sent: Wednesday, February 12, 2020 10:32
> So we are mostly a MS Windows shop. But I use a Linux openssl as my root CA.
> What I am planning on doing, is creating a Windows intermediat
So we are mostly a MS Windows shop. But I use a Linux openssl as my root
CA. What I am planning on doing, is creating a Windows intermediate CA, and
using that to sign all my internal requests. But before I do that, I have a
couple of questions.
I have the steps to install the certificate
> On Sep 25, 2018, at 14:34, Krehbiel, Richard wrote:
>
> For my testing I want to explore the behaviors of policies, policy
> constraints, and policy mappings. I have figured out how to request and
> issue certs with custom policy OIDs, but I haven't yet seen a method of
> granting an interm
For my testing I want to explore the behaviors of policies, policy constraints,
and policy mappings. I have figured out how to request and issue certs with
custom policy OIDs, but I haven't yet seen a method of granting an intermediate
cert with policy mappings. Can openssl do this? How? Th
On 09/01/2015 03:45, Jerry OELoo wrote:
Hi All:
I am using X509_STORE_CTX_get1_chain() to get web site's full certificate chain.
Now I am encounter an issue that some web site does not return
intermediate CA certificate but only web site leaf certificate.
For example.
Hi All:
I am using X509_STORE_CTX_get1_chain() to get web site's full certificate chain.
Now I am encounter an issue that some web site does not return
intermediate CA certificate but only web site leaf certificate.
For example. https://globaltrade.usbank.com
Below is certificate I get.
Su
Jerry,
When you create the intermediate certificate, you need to add the
following attribute :-
basicConstraints=CA:true
Otherwise, the intermediate CA certificate can not issue server certificates.
Best regards, John Mok
On Thu, Nov 27, 2014 at 3:43 PM, Jerry OELoo wrote:
> Hi All:
>
Hi All:
Now I want to create a certificate chain by myself.
It will looks like as below:
Server Certificate -> Intermediate CA -> Root CA.
Now I am using openssl command to create these certificate files.
# Create CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -nodes -sha1
"Edward Ned Harvey (openssl)"
writes:
>> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
>> us...@openssl.org] On Behalf Of Michael Wojcik
>>
>> For someone who does want more background in cryptography, I'd
>> recommend Schneier's /Applied Cryptography/ over /Cryptography
>> Engine
On Thu, Apr 24, 2014 at 12:57:36PM +, Michael Wojcik wrote:
[snip]
> > How and why do you trust any root certs? Generally they're built-in to your
> > OS or your browser, so you're just blindly trusting that those guys know
> > what
> > they're doing.
>
> And they don't, and they don't care
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Michael Wojcik
>
> For someone who does want more background in cryptography, I'd
> recommend Schneier's /Applied Cryptography/ over /Cryptography
> Engineering/. The latter is for people implementing
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Edward Ned Harvey (openssl)
> Sent: Wednesday, 23 April, 2014 21:05
> Subject: RE: SSL Root CA and Intermediate CA Certs.
>
> I don't know how you learn about SSL/TLS, oth
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Kaushal Shriyan
>
> I am new to SSL/TLS Certificates. Please help me understand what is the
> difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I
> will appreciate if i can refer
Hi,
> > I am new to SSL/TLS Certificates. Please help me understand what is the
> > difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I
> > will appreciate if i can refer to some books or tutorials to know about
> > SSL/TLS technology.
>
> The closest thing you'll probabl
On 23 Apr 2014, at 2:23 PM, Kaushal Shriyan wrote:
> I am new to SSL/TLS Certificates. Please help me understand what is the
> difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I
> will appreciate if i can refer to some books or tutorials to know about
> SSL/TLS technolog
Hi,
I am new to SSL/TLS Certificates. Please help me understand what is the
difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I
will appreciate if i can refer to some books or tutorials to know about
SSL/TLS technology.
Thanks and Regards,
Kaushal
On Sat, Mar 09, 2013 at 11:04:06AM -0600, Ian Pilcher wrote:
> It's becoming pretty clear that OpenSSL doesn't provide a simple way to
> do this today. (X509_V_FLAG_PARTIAL_CHAIN will probably enable this,
> but it will be years before that makes its way into slower moving
> distributions.)
>
>
On 03/09/2013 10:40 AM, Kyle Hamilton wrote:
> Create a new self-signed client CA certificate with the same key and
> Subject, setting the Issuer to the Subject of the client CA, and signed
> with the client CA private key. Use this as your client-authenticatior
> "root".
Well yes. I know I coul
Create a new self-signed client CA certificate with the same key and
Subject, setting the Issuer to the Subject of the client CA, and signed
with the client CA private key. Use this as your client-authenticatior
"root".
Alternatively, you might play around with policies, but that relies on your
h
+-+
| Root CA |
+-+
/\
/ \
/\
/ \
/\
/ \
/\
/ \
+---++---+
| Server CA
>> On Tue, Sep 25, 2012, sanjaya joshi wrote:
>>
>> >
>> > We can conclude an X509 V1 certificate to be a root ca using
>> > (EXFLAG_V1|EXFLAG_SS).
>> > Similarly, is there a way to know whether an X509 V1 certificate is an
>> > intermediate
, Sep 25, 2012, sanjaya joshi wrote:
>
> >
> > We can conclude an X509 V1 certificate to be a root ca using
> > (EXFLAG_V1|EXFLAG_SS).
> > Similarly, is there a way to know whether an X509 V1 certificate is an
> > intermediate CA or end-entity certificate ?
> >
>
On Tue, Sep 25, 2012, sanjaya joshi wrote:
>
> We can conclude an X509 V1 certificate to be a root ca using
> (EXFLAG_V1|EXFLAG_SS).
> Similarly, is there a way to know whether an X509 V1 certificate is an
> intermediate CA or end-entity certificate ?
>
You can't: t
a way to know whether an X509 V1 certificate is an
> intermediate CA or end-entity certificate ?
>
> Regards,
> Sanjaya
>
Hi,
I want to validate a CA signed certificate against its CRL.
I have root certificate from CA. I have downloaded CRL for entity
certificate (using URI in CRL Distribution Points field).
Intermediate CA certificate is also required to verify entity certificate
against CRL.
Is there any way I
Hi Jijo,
I believe interesting information can be found here :
http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html
Regards
Le 13/01/2011 17:16, Jijo a écrit :
Thanks for the response..
>>You have to get the IC to the client somehow. The usual method is to
have the server send it. Do
Thanks for the response..
>>You have to get the IC to the client somehow. The usual method is to have
the server send it. Does the server software provide a way to supply a
certificate chain?
What do you mean by server sending it? is it on TLS negotiation?
What do you mean by certificate chain?
On 1/12/2011 3:19 PM, Jijo wrote:
Hi All,
I hope this a basic question for you guys..
I'm trying to setup TLS connection between Client and Server.
In the server i did following things,
1. Created a selfsigned rootCA
2. Created IntermediateCA and signed with rootCA.
3. Create a Server Certific
Hi All,
I hope this a basic question for you guys..
I'm trying to setup TLS connection between Client and Server.
In the server i did following things,
1. Created a selfsigned rootCA
2. Created IntermediateCA and signed with rootCA.
3. Create a Server Certificate and signed with intermediateCA.
Hi there:
On 2010-10-15, at 7:23 AM, Neeraj Jain wrote:
> Hello,
>
> We want to implement Root CA à intermediate CA à Server certs, but we are
> not able to create intermediate CA, it would be great if you can help me.
Setting up the openssl.cnf to make this work 100% right
inside the file "openssl.cnf" let CA:TRUE
2010/10/15 Neeraj Jain
> Hello,
>
>
>
> We want to implement Root CA à intermediate CA à Server certs, but we are
> not able to create intermediate CA, it would be great if you can help me.
>
>
>
> Thanks,
>
> Neeraj Jain
>
>
>
Hello,
We want to implement Root CA à intermediate CA à Server certs, but we are
not able to create intermediate CA, it would be great if you can help me.
Thanks,
Neeraj Jain
Yeah, I realized that. I changed things to include an AKID if the issuer has a
SKID, and the issuer's issuer's subject DN and issuer's serial number if not.
Got it all working finally, once I had the proxy chain it's intermediate CA.
(When it wasn't doing this, I th
On Thu, Mar 12, 2009, Rene Hollan wrote:
> True, but (a) it doesn't hurt to have both, and (b) if the issuer
> doesn't have a SKID, AKID issuer/serial takes the place of an AKID
> keyid.
>
The disadvantage is that if you want to support more than one intermediate CA
(c
tore. Is it possible that browsers
> actually ignore intermediate CA certs in their trust store and expect
> servers to provide them? That's the next thing for me to try (if only I
> can remember how to do that with openssl... :-)).
>
Well if you had to add intermediate CAs to
a nice cert chain).
>
>
> -Original Message-
> From: Rene Hollan
> Sent: Thursday, March 12, 2009 6:34 PM
> To: 'openssl-users@openssl.org'
> Subject: RE: Can't recognize intermediate CA
>
> Sigh.
>
> Well, I added the intermediate CA to the cert chain
ven though both cacert.pem
> and intcert2.pem are in it's trust store. Is it possible that browsers
> actually ignore intermediate CA certs in their trust store and expect
> servers to provide them? That's the next thing for me to try (if only I
> can remember how to do that with op
enssl-users@openssl.org'
Subject: RE: Can't recognize intermediate CA
Sigh.
Well, I added the intermediate CA to the cert chain sent by my proxy
(and verified this with wireshark).
OpenSSL s_client -CAfile cacert.pem -host login.yahoo.com -port 443
works and shows the trust chain.
But
Sigh.
Well, I added the intermediate CA to the cert chain sent by my proxy
(and verified this with wireshark).
OpenSSL s_client -CAfile cacert.pem -host login.yahoo.com -port 443
works and shows the trust chain.
But, Firefox, with cacert.pem loaded into it's trust store still
comp
: Thursday, March 12, 2009 4:23 PM
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
You can just leave out the issuer+serial number combination from AKID
too.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core develope
Yup. That fixed it.. At least as far as openssl verify -CAfile
cacert.pem -untrusted intcert2.pem yahoo-x.pem goes.
Oddly, firefox still rejects the end cert, even though both cacert.pem
and intcert2.pem are in it's trust store. Is it possible that browsers
actually ignore intermediate CA
Sincerely,
Giang Nguyen
> Date: Fri, 13 Mar 2009 00:22:56 +0100
> From: st...@openssl.org
> To: openssl-users@openssl.org
> Subject: Re: Can't recognize intermediate CA
>
> On Thu, Mar 12, 2009, Rene Hollan wrote:
>
&g
On Thu, Mar 12, 2009, Rene Hollan wrote:
> Yeah, I just noticed that.
>
> I've been comparing how my intermediate CA resigned an existing cert
> (it's part of a proxy that decrypts, examines, and reencrypts -- the
> downstream client sharing a trust hierarchy with the
Yeah, I just noticed that.
I've been comparing how my intermediate CA resigned an existing cert
(it's part of a proxy that decrypts, examines, and reencrypts -- the
downstream client sharing a trust hierarchy with the intermediate
"resigning" CA) with what "OpenSSL
>> I used openssl with the intermediate CA to sign a separate cert, which
>> had a AKID keyid but no issuer, and that chain recongizes fine.
>>
>> Could the problem be the fact that yahoo.pem has an AKID keyid AND
>> issuer? (onr or the other is sufficient, but I c
> I used openssl with the intermediate CA to sign a separate cert, which
> had a AKID keyid but no issuer, and that chain recongizes fine.
>
> Could the problem be the fact that yahoo.pem has an AKID keyid AND
> issuer? (onr or the other is sufficient, but I could find nothing t
> I tried it with no (i.e. infinite) pathlen specified in cacert.pem. Same
> effect.
>
> Am I wrong in understanding that pathlen:0 implies no intermediate CAs
> and pathlen:1 implies at most one intermediate CA (as is the case here)?
i believe you're right: the pathlen
I tried it with no (i.e. infinite) pathlen specified in cacert.pem. Same
effect.
Am I wrong in understanding that pathlen:0 implies no intermediate CAs
and pathlen:1 implies at most one intermediate CA (as is the case here)?
I used openssl with the intermediate CA to sign a separate cert, which
the cacert has pathlen:1 in its "X509v3 Basic Constraints"
> Subject: Can't recognize intermediate CA
> Date: Thu, 12 Mar 2009 15:00:47 -0700
> From: rene.hol...@watchguard.com
> To: openssl-users@openssl.org
>
> I'
I'm tearing my hair out trying to get an intermediate CA to be
recognized.
I have cacert.pem signing intcert.pem signing (well, resigning),
yahoo.pem
Openssl verify verifiies intcert.pem against cacert.pem, but won't
verify yahoo.pem against intcert.pem.
Subject/issuer match. AKID d
ollan; 'openssl-users@openssl.org'
Subject: RE: Can't recognize intermediate CA
Corrected yahoo.pem:
-BEGIN CERTIFICATE-
MIIDojCCAoqgAwIBAgIYANIyCa0j0xQjIXTkDX+dYhOXhmM6BaBMMA0GCSqGSIb3
MIIDojCCAoqgAwIBAgIYANIyCa0j0xQjIXTkDX+DQEBBQUAMEwxI
x27;t recognize intermediate CA
I'm tearing my hair out trying to get an intermediate CA to be
recognized.
I have cacert.pem signing intcert.pem signing (well, resigning),
yahoo.pem
Openssl verify verifiies intcert.pem against cacert.pem, but won't
verify yahoo.pem against intcert.pem.
S
Hi everybody,
I've been get some problems with WebService Client on HTTPS.
I have 1 certificate and 2 intermediate CA´s to access this server.
Testing my Browser, if i remove any one of the intemediate CA's, i get this:
"HTTP Error 403.7 - Forbidden: SSL client certificate is req
On Tue, Sep 25, 2007, Bynum, Don wrote:
> Please send me your extensions file, CA cert/Key and the CSR you are
> using for your intermediate. I am assuming that what you have so far is
> for testing purposes. Otherwise, I would not ask for the CA key
> (obviously). Send them to me as a zip file
enssl.org
Subject: RE: intermediate CA configuration
I have given the command
openssl x509 -req -days 365 -in intermediate.csr -CA root.certkey
-CAcreateserial -out intermediate.crt -extensions usr_cert -extfile
/etc/sll/openssl.cnf
after creating the root CA, the root.certkey is having ke
intermediate CA.
if i create a user certificate with this intermediate CA.In SSL
authentication it is giving error 24,Unknown CA.
In client machine i installed all the certificates root CA and Intermediate
CA and client certificate.It is showing clear
hierarchy.ROOT>intermedi
] On Behalf Of mallika
Sent: Thursday, September 20, 2007 4:06 AM
To: openssl-users@openssl.org
Subject: intermediate CA configuration
i want to create intermediate CA from root CA by using openssl.cnf. how
to configure openssl.cnf file for creating intermediate ca which
contains all attributes like
i want to create intermediate CA from root CA by using openssl.cnf. how to
configure openssl.cnf file for creating intermediate ca which contains all
attributes like root ca which is having obj signing,certificate
revocation...can any body help me
--
View this message in context:
http
Hi All,
Please can any one tell me what are the different methods to create an
Intermediate ca certificate.
Regards,
Jaya
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
On Wed, May 17, 2006, Phil Dibowitz wrote:
> Dr. Stephen Henson wrote:
> > Your problem is that you are telling OpenSSL to include the AKID
> > extension by
> > copying the SKID from the issuing CA. That CA doesn't have an SKID
> > extension
> > so it gives the error.
> >
> > Either remove that e
Dr. Stephen Henson wrote:
> Your problem is that you are telling OpenSSL to include the AKID
> extension by
> copying the SKID from the issuing CA. That CA doesn't have an SKID
> extension
> so it gives the error.
>
> Either remove that extension from the config file or include SKID in the
> root
On Tue, May 16, 2006, Phil Dibowitz wrote:
> OpenSSL folks,
>
> I'm having an issue when making an intermediate CA.
>
> As I understand the specs (and please, correct me if I'm wrong), a root
> (i.e. self-signed) CA can be a v1 certificate, but intermediate CAs
OpenSSL folks,
I'm having an issue when making an intermediate CA.
As I understand the specs (and please, correct me if I'm wrong), a root
(i.e. self-signed) CA can be a v1 certificate, but intermediate CAs must:
(a) be v3
(b) have SubjectKeyIdentifier
(c) have AuthorityKey
On Thu, Apr 06, 2006, Dr. Stephen Henson wrote:
>
> No you always need to send two certificates, it depends on what you want to
> do.
>
Urgle, typo. I mean to say "No you don't always need to send two
certificates..."
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
Op
On Thu, Apr 06, 2006, Francisco Javier Martinez Martinez wrote:
>
> Now I could import this .der certificate in my browser-certs repository,
> and I could see it as a intermediate CA, and the root CA certificate in the
> correct windows repository.
>
> But with this way I
ser-certs repository,
and I could see it as a intermediate CA, and the root CA certificate in
the correct windows repository.
But with this way I had to spread two certificates for the customers.
And I was wondering if there is a way to spread only one file with the
two certificates, already browsing
On Wed, Apr 05, 2006, Francisco Javier Martinez Martinez wrote:
> Hello world.
>
> I am getting crazy I can't find the solution.
>
> Could anyone be so kind of show me clues, examples, config files in order
> to make an intermediate CA?
>
> My scenario:
>
>
>
> Could anyone be so kind of show me clues, examples, config files in order
> to make an intermediate CA?
>
> My scenario:
>
> I issue certificates with openssl line commands.
> I had issue a selfsigned CA root certificate and I could issue cert for
> servers,. etc,
Hello world.
I am getting crazy I can't find the solution.
Could anyone be so kind of show me clues, examples, config files in order
to make an intermediate CA?
My scenario:
I issue certificates with openssl line commands.
I had issue a selfsigned CA root certificate and I could issue
Quoting "Dr. Stephen Henson" <[EMAIL PROTECTED]>:
> On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote:
>
>
> Can you give the full error message?
>
> It looks like it is the wrong intermediate CA being sent.
>
> With the server cert do:
>
> openssl x5
certificate".
> > >
> >
> > Use the -showcerts option to s_client to see which certificates the server
> > is
> > sending.
>
> It's sending both in the pem ...
>
> >
> > Also include the root CA as an argument to the -CAfile option.
&g
Quoting "Dr. Stephen Henson" <[EMAIL PROTECTED]>:
> On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote:
>
> > Quoting "Dr. Stephen Henson" <[EMAIL PROTECTED]>:
> >
> > I've already done this except the testing with s_client part, I tested with
> > firefox which still generates the same error with that.
On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote:
> Quoting "Dr. Stephen Henson" <[EMAIL PROTECTED]>:
>
> I've already done this except the testing with s_client part, I tested with
> firefox which still generates the same error with that. I just tested with
> s_client and I get "Verify return code
e to my attention Firefox users (non-IE
> users
> > I assume really) get a message about not being able to verify the
> authenticity
> > of the certificate when they sign onto our sites due to Verisign having a
> newer
> > Intermediate CA. I was given the "pfx"
out not being able to verify the authenticity
> of the certificate when they sign onto our sites due to Verisign having a
> newer
> Intermediate CA. I was given the "pfx" file which I converted to pem with the
> set of commands below:
>
> openssl pkcs12 -in wf_ex
n onto our sites due to Verisign having a newer
Intermediate CA. I was given the "pfx" file which I converted to pem with the
set of commands below:
openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem
openssl rsa -in wfkey030106.pem -out wfcert030106.pem
openssl x509
valid CA. But
> with certificate chain containing only two certificates:
> usr.cert->CA.cert, the verification is ok.
>
> SO my question is that how can i create a valid intermediate CA?
>
The default extensions when OpenSSL signs a certificate request for security
reasons are on
fication is ok.
SO my question is that how can i create a valid intermediate CA?
Thanks,
Wu
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[
Hi, Experts,
Is there a solution for the issue of misunderstanding concerning the
authorityKeyIdentifier? (i.e. misunderstanding between MS and the rest of
the world, including openSSL)
Best regards,
Michael
--
Karl-Michae
> Oscar wrote:
>
> Hello. I try to create a Intermediate CA but i don´t know to do it. I
> create a CA root self signed but the pathlen is 0, it means that this
> CA signed end user, is it? Then how i create a intermediate CA? And
> possibly i want to create a second interm
Hello. I try to create a Intermediate CA but i
don´t know to do it. I create a CA root self signed but the pathlen is 0, it
means that this CA signed end user, is it? Then how i create a intermediate CA?
And possibly i want to create a second intermediate CA who sign this CA? (CA
root-->
On 09/24/01 01:38 PM, Dr S N Henson sat at the `puter and typed:
> Well if the certificate is correctly encoded and pathlen is absent then
> it should interpret it as unlimited. This is specified in a number of
> places including RFC2459. If Netscape is doing otherwise then its a bug.
>
> I haven
On 09/24/01 01:38 PM, Dr S N Henson sat at the `puter and typed:
> Louis LeBlanc wrote:
> >
> >
> > Maybe OpenSSL does it this way when it encounters a cert without a
> > pathlen specified, but as I mentioned in an earlier message on this
> > thread, Netscape (4.76?) for Linux (running on FreeBS
Louis LeBlanc wrote:
>
>
> Maybe OpenSSL does it this way when it encounters a cert without a
> pathlen specified, but as I mentioned in an earlier message on this
> thread, Netscape (4.76?) for Linux (running on FreeBSD) seems to
> have a problem. Adding the pathlen was the final trick that ma
he chain between the root and server/user certs.
I then created a subdir in the MYCA directory for each 'first level'
intermediate CA, and copied openssl.cnf into it, decrementing the
pathlen constraint, and pointing the 'dir' directive in CA_default to
the subdir.
Repeat as ne
a pathlen=0 (or something
to that effect). I managed to get over the CA:True problem, and even
copied the appropriate extensions, but now, a server cert signed by an
intermediate CA causes netscape to pop up a warning that the
'Certificate path length constraint is invalid."
I am includin
Louis LeBlanc wrote:
>
>
> I am including the x509 output of my intermediate below. I notice
> that the CA constraint is false. Does this have anything to do with
> the problem? I am guessing it does, but how do I fix this? I have
> been all over the online docs, so I am fairly certain that
, and installed the intermediate CA
as a chain using the SSLCertificateChainFile directive in the Apache
httpd.conf. Sounds right to me, and that is what the online Apache
docs say to do.
But . . .
When I try to connect to the server via Netscape on the secure port, I
get the following popup:
The
1 - 100 of 105 matches
Mail list logo
