Ok I figured it out, doh! Here's part of my openssl command
openssl x509 -req -days $days -in $csrfile -extfile extfile -extensions extend I use -extfile and -extensions Here's my extfile extensions = extend [ extend ] keyUsage = digitalSignature extendedKeyUsage = clientAuth nsCertType = client The out come will be this Certificate purposes: SSL client : Yes SSL client CA : No SSL server : No SSL server CA : No Netscape SSL server : No Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No --- ray v <[EMAIL PROTECTED]> wrote: > Let me see if I understand what your saying? > > I need to generate another CA certificate the has > only > ssl client set yes? > > This does not make sense especially if you read the > extension section in the openssl.cnf file [ usr_cert > ] > which specifies that upon signing you can change the > purpose of the certificate being signed. > > > [ usr_cert ] > > # These extensions are added when 'ca' signs a > request. > > "# For normal client use this is typical > # nsCertType = client, email" > > It would appear that this is where you tell the CA > upon signing add the type. The problem is by default > is adds almost everything accept CA ability which is > turned off by basicConstriants. So if what is > written > above is true then how to you remove types? > > I'm sure that I don't have all the facts here, but > there are a bit confusing.. > > > > > > > --- Michael Weiner <[EMAIL PROTECTED]> wrote: > > > ray v wrote: > > > Hi Michael, > > > > > > Thanks for responding. > > > > > > My problem is a little more involved then that. > > I'm > > > the CA, err using openssl can creating a CA > > > certificate using the v3_ca extension. I have > > quite a > > > number of certificate being used by our servers. > > > Recently we wanted to start generating user > > > certificates but we also want to restrict the > > purpose > > > field to just "ssl client". We don't want to > > include > > > ssl server, netscape*, objsign, or e-mail. ... > > just > > > ssl client. > > > > > > There must be a way to do this during CSR > signing > > but > > > I'm just not sure what to look for? > > > > > > > You still need to modify your CA certificate in > > order to generate and > > sign the "client" certificates with the proper > > properties, and no more > > than what you define the CA to be valid for. > > > > Michael > > > > > ATTACHMENT part 2 application/x-pkcs7-signature > name=smime.p7s > > > > > > __________________________________ > Do you Yahoo!? > The all-new My Yahoo! - Get yours free! > http://my.yahoo.com > > > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]