Hi Steve, I used the Certificate Manager that is build into Internet Exploder to view the details of the certificate. You know, under Tools > Internet Options > Content > Certificates....
Sooner or later, we will have to distribute our root certificate to all employees, as more and more intrAnet servers over here use SSL certificates that were signed by our security department. If a Windows user receives the root certificate, and clicks on it, (s)he will get the Certificate Import Wizard, which leaves no option to choose or leave out any of the certificate's intended purposes. The syntax of the command used for creating the root private key and the certificate was: openssl req -x509 -newkey rsa:1024 -rand .rand -days 3650 -keyout privkey.pem - out pubcert.crt According to the documentation, if one does not mention any extensions section in the command above, the x509_extensions section is used. Which leads to the v3_ca section. In the end, I had everything linked to this section: extensions = v3_ca In the [CA_default] and the [req] section: x509_extensions = v3_ca BTW: we also tried the -extensions option in the command. This v3_ca section now contains the following details: basicConstraints = critical, CA:true keyUsage = cRLSign, keyCertSign nsCertType = sslCA, objCA subjectAltName=email:copy issuerAltName=issuer:copy Still, we get certificates that can be used for a lot of purposes. A test public root certificate is enclosed. Kind regards, Huibert Kivits Quoting Dr S N Henson <[EMAIL PROTECTED]>: > Huibert Kivits wrote: > > > > Hi Everybody, > > > > I am new to this list, so maybe this question has been asked before. > > However, I could not find anything about this in the archives. > > > > We are using OpenSSL succesfully. However, comparing our Public Root > > Certificate to those of external CA's like Verisign and Thawte, our > > certificate appears to be intended for about all purposes one can imagine. > > Verisign's certficate serves only a few purposes and apparently, they work > > fine. > > Ours too, but we would like to have a root certificate which serves no > > more than the necessary purposes. > > > > What tool are you using to determine the certificate purposes? If its > the MSIE certificate wizard then the main reason commercial CAs have > different trust settings is because they ask for them when the CA pays > $$$ to MS to get the certificate pre installed. > > > The basis for our openssl.cnf file is the file that comes with OpenSSL. > > I have been playing around extensively with this file but without > > success. Anyone got a clue? > > > > When you add a CA certificate manually then you get to choose between > all possible usages. You can restrict this using the extended key usage > extension. > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Gemplus: http://www.gemplus.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] >
tst_pubcert.crt
Description: application/pkix-cert