>I like to buy a certificate from verisign or thawte that allows me to >sign other certificates. The test certificate produced have the >extension CA:FALSE. I'm not sure if I can sign anything with this kind >of certificate, please advise...
No you can't sign anything with that. What you need is what I think they call a "cross-signing cert", last time I looked (about 2 years ago) you needed about 100K US to buy one. >What happens when the certificate expires, how to renew it without >having to renew other certificates? You can't. Your CA certificate life cycle must be longer than any certificates issued by it. -- Dean Povey, |em: [EMAIL PROTECTED] | JCSI: Java security toolkit Senior S/W Developer |ph: +61 7 3023 5139 | uPKI: Embedded/C PKI toolkit Wedgetail Communications |fax: +61 7 3864 1282 | uSSL: Embedded/C SSL toolkit Brisbane, Australia |www: www.wedgetail.com | XML Security: XML Signatures ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]