> Oscar wrote: > > Hello. I try to create a Intermediate CA but i donīt know to do it. I > create a CA root self signed but the pathlen is 0, it means that this > CA signed end user, is it? Then how i create a intermediate CA? And > possibly i want to create a second intermediate CA who sign this CA? > (CA root-->CA int-->CAint2-->end user) > > Thanks > Oscar > > P.D. I read all the later messages but i donīt undestand it.
You need to use the option: CA.pl -signca when signing the request for an intermediate CA. If you are seeing pathlen:0 for your certificates then the openssl.cnf is not the standard one from the OpenSSL distribution which never had a pathlen constraint applied. pathlen is actually the number of CA certificates that can appear below the current certificate in the chain. It is *only* valid in CA certificates anyway. However if you have it set to 0 in the root certificate then only end user certificates can be signed by that CA, which is not what you want. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]