Louis LeBlanc wrote:
>
>
> I am including the x509 output of my intermediate below. I notice
> that the CA constraint is false. Does this have anything to do with
> the problem? I am guessing it does, but how do I fix this? I have
> been all over the online docs, so I am fairly certain that I am just
> not seeing what's in front of me, or my antennae are just not picking
> up the right stations :)
>
This is indeed a problem. With CA:FALSE the certificate is not a valid
CA certificate and will be rejected by any reasonable software. By
default OpenSSL will sign a certificate request using end user
extensions. You can override this using the command line option
-extensions to either 'ca' or 'x509' so if you include "-extensions
v3_ca" it should work. You can also use the -signCA option to the CA.pl
script in more recent versions of OpenSSL.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
