On Tue, Dec 02, 2003, Jia L Wu wrote: > Hello, > My question is: > I created a certificate chain: usr.cert->CA_1.cert->CA.cert. > where CA.cert is self-signed certificate and is imported as trusted > certificate. > Signing CA_1's request with CA's private key and certificate generates > CA_1.cert. > Signing usr's request with CA_1's private key and CA_1.cert generates > usr.cert. > > However, when I tried to verify the certificate chain using a third party > software, I got the following error: "CA_1.cert" is not a valid CA. But > with certificate chain containing only two certificates: > usr.cert->CA.cert, the verification is ok. > > SO my question is that how can i create a valid intermediate CA? >
The default extensions when OpenSSL signs a certificate request for security reasons are only usable in an end entity EE certificate. You can however sign as a CA instead by using the appropriate command line switches. If you are using CA.pl then CA.pl -signCA will do. If you are using either the 'ca' or the 'x509' utilities then -extensions v3_ca should work. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]