Ok, I found the solution, and thought someone else might benefit from
my efforts.
What I am trying to do is create a heirarchy of intermediate CAs with
a single root CA at the top. I wish to be able to sign server certs,
primarily, and they must be able to create a trusted site that loads
without popup or warning on multiple browsers. Of course, having the
root CA be trusted is a prerequisite, so I am installing it to the
browser by simply serving it on the site with the proper mime type.
As Dr Henson pointed out, the -extensions v3_ca flag would tell
openssl that the cert was to be considered a CA, and CA:true would be
set in the cert.
However, most default self signed certs also have pathlen:0 set. This
is a roadblock, and was causing my other issue:
'Certificate path length constraint is invalid."
It's kinda kludgy, but here is what I did:
In my openssl.cnf, I changed the following line in the v3_ca section:
basicConstraints = CA:true
to this:
basicConstraints = CA:true,pathlen:5
which is obviously overkill, but at least I won't have to recreate my
root cert because of this.
the pathlen defines how many intermediate certs can be contained in
the chain between the root and server/user certs.
I then created a subdir in the MYCA directory for each 'first level'
intermediate CA, and copied openssl.cnf into it, decrementing the
pathlen constraint, and pointing the 'dir' directive in CA_default to
the subdir.
Repeat as needed for up to 5 certs deep.
Definitely messy, but I haven't gotten around to fine tuning the whole
thing into a single config that will work with multiple CAs. When I
get a chance, I'll do it.
For each intermediate CA directory, I set up a script to sign certs
which points to the proper config, so all I have to do is get the csr
into the correct location, and './sign_cert server' will sign
server.csr and output server.crt.
For my purposes, right now, each intermediate subdir is contained
within its 'parent CAs' dir, and each maintains its own serial number
count, index listing, and newcerts store. They could essentially be
placed on separate machines and continue to be used with minimum
modification.
Like I said, it's messy, but it works for now.
Thanks for the help Dr Henson!
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net ԿԬ
Statistics are no substitute for judgement.
-- Henry Clay
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
