On 09/21/01 12:53 PM, Dr S N Henson sat at the `puter and typed:
> Louis LeBlanc wrote:
> >
> >
> > I am including the x509 output of my intermediate below. I notice
> > that the CA constraint is false. Does this have anything to do with
> > the problem? I am guessing it does, but how do I fix this? I have
> > been all over the online docs, so I am fairly certain that I am just
> > not seeing what's in front of me, or my antennae are just not picking
> > up the right stations :)
> >
>
> This is indeed a problem. With CA:FALSE the certificate is not a valid
> CA certificate and will be rejected by any reasonable software. By
> default OpenSSL will sign a certificate request using end user
> extensions. You can override this using the command line option
> -extensions to either 'ca' or 'x509' so if you include "-extensions
> v3_ca" it should work. You can also use the -signCA option to the CA.pl
> script in more recent versions of OpenSSL.
>
So will this also result in setting the pathlen? I noticed on a self
signed cert, CA is true, and there is also a pathlen=0 (or something
to that effect). I managed to get over the CA:True problem, and even
copied the appropriate extensions, but now, a server cert signed by an
intermediate CA causes netscape to pop up a warning that the
'Certificate path length constraint is invalid."
I am including all Intermediate CA files between the server cert and
the root CA (in that order, but not including the server or root
cert) in a chain.crt file which is pointed to by the
SSLCertificateChain(?) directive in Apache. If I don't include
directive, I simply get an unrecognized certificate popup, even though
I have installed the root as trusted on my browser.
I'll take a look in openssl.txt for any info on this - this helped me
get over the last hurdle - but if you know offhand, I'd appreciate the
pointer.
Thanks a bunch for the help!
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net ԿԬ
All new:
Parts not interchangeable with previous model.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]