On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote:
> Since you didn't include the root CA it isn't possible to say why it isn't
> excluded.
>
> I notice the small serial numbers in the certificates and some invalid
> extensions in there. I'd suggest using the CA.pl script (if you use OpenSSL
> 0.9.8 get it from a recent snapshot: the included one is buggy) instead.
The root certificate is attached below. I also tried appending this to my
server.example.com-cert.pem (so there were three certificates in all), but
that didn't make a difference.
Is it correct of me simply to concatenate the server certificate together
with the sub-CA certificate and the root certificate? Or should TinyCA have
created a certificate which incorporates the whole chain itself? Or does the
application use some other mechanism to assemble the chain from the
constituent certificates? I'm afraid I'm not sufficiently PKCS#7-savvy to
know what a real certificate at the bottom of a chain should look like.
I think that the small serial numbers are intentional; these are the first
certificates issued by the root CA and the sub CA respectively, and openssl
creates them as newcerts/01.pem. However, I note that the root self-signed
certificate does seem to have a very large serial number.
I can try doing everything from scratch using openssl commands solely, but
TinyCA itself is just a set of perl scripts which call openssl req/ca as
required. Do you think TinyCA is invoking openssl wrongly in this case?
Regards,
Brian.
-----BEGIN CERTIFICATE-----
MIIHAjCCBOqgAwIBAgIJAP5hXQM6l3J+MA0GCSqGSIb3DQEBBAUAMIGJMQswCQYD
VQQGEwJHQjEPMA0GA1UEBxMGTG9uZG9uMS8wLQYDVQQKEyZDYW5kbGVyIEluc2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTEbMBkGA1UEAxMScm9vdC5jYS5saW5u
ZXQub3JnMRswGQYJKoZIhvcNAQkBFgxjYUBsaW5uZXQub2cwHhcNMDYwMjI3MDk0
ODQ1WhcNMTYwMjI1MDk0ODQ1WjCBiTELMAkGA1UEBhMCR0IxDzANBgNVBAcTBkxv
bmRvbjEvMC0GA1UEChMmQ2FuZGxlciBJbnNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRo
b3JpdHkxGzAZBgNVBAMTEnJvb3QuY2EubGlubmV0Lm9yZzEbMBkGCSqGSIb3DQEJ
ARYMY2FAbGlubmV0Lm9nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
86u5sSM8mxdIhuTOZbOtr2mkUOzjINQTVqIWR7mLmaCNyz5Zvqd2Pu4DjwrRadko
zVrtxlG2C1kwd9zUEB0MaRkrOL6EdaQNxNZ7OIoP+JYPAKzSlwcu6wiIFsYZZ9Zg
QCs150kw9CYfofjsC5NHWetfogJvnKtseqBfQt5Ohl3SGM26/JQpMF0GpJWL/U4L
GBvWsRKZRlTHAAWWv8AAOFPgLEfTgLKvOPNHUxoG+TDH2CtNfQO5DpxacB4WFKPP
5NSmVu5bxWWqalU07J0xuv+KlLRdJZ0ZORLaxq919ezxVCjwVfqv80Y6LzzwgZsz
9kIlWoN+N3U3SA8gVuOcrdUmh/HRIs4YkSjeaqfF0n91YNMwdMvipKmX0OeinujK
eNEvT16JAGjUaveTQulvPkWDhV7evXh1yGv5HFfoIp/N6zGAKBr2uZDtgd6vnXlU
eRLMXAtokbCkB+Rd7el4SBO0ZgeUTA2chZNjtv17mbWZQR0NQsMdYgOO4oc/MEoa
ZwaesMec0iLNtCpSq2TyxikkC0qAcirv/a4Qqbb35DXdSRiXS11A11pDTQdGqKBY
u9RZTTCk2JYkxcLC8DLf2BsK/NBrb+WV24fyLOelbbhBUyQoxvF0vkhO2MdDfjns
yr8UBF6IqYvhPmHTNSx9WJXfkLU2HyI0n7QZ/lvjipsCAwEAAaOCAWkwggFlMB0G
A1UdDgQWBBRc63ElpozI5U1LsApJkx5YAYl3HjCBvgYDVR0jBIG2MIGzgBRc63El
pozI5U1LsApJkx5YAYl3HqGBj6SBjDCBiTELMAkGA1UEBhMCR0IxDzANBgNVBAcT
BkxvbmRvbjEvMC0GA1UEChMmQ2FuZGxlciBJbnNlY3VyZSBDZXJ0aWZpY2F0ZSBB
dXRob3JpdHkxGzAZBgNVBAMTEnJvb3QuY2EubGlubmV0Lm9yZzEbMBkGCSqGSIb3
DQEJARYMY2FAbGlubmV0Lm9nggkA/mFdAzqXcn4wDwYDVR0TAQH/BAUwAwEB/zAR
BglghkgBhvhCAQEEBAMCAQYwCQYDVR0SBAIwADArBglghkgBhvhCAQ0EHhYcVGlu
eUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAXBgNVHREEEDAOgQxjYUBsaW5uZXQu
b2cwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4ICAQBwVm4ODxvvF5GU
qrIpPA9IF1JY2jIwgK9E3tGNmoULAUKPyx4hqHpma/h88c8ZIDZ1/CPfnIgC4doE
htSdBlErZ9aqj3ZRfhVeVoeHdEHp+xC+qHxAVeFgaSm6sa6NM2Obj1h+YECw+YeO
Vm826GT3/Pw40BI5U0UmIbeIivf+i3zGttQruo/JmE2XM+gOCjeKu1v4T189DcAm
Dlrc24K06CMwI/ZpTuexEWtWC5W3ASaxO14Liq8iDgd2x1y61zlyEYCITkXYWwos
wmlrbIc77NfIzO/fFgy+bOaJCP7R4Uz5L5zdqbmqdvhgeREJJTNX2CDVxDvaDVy2
bJQh8NMnPIAfP5kBJ9Ps6o646HwLwzD4LNPsA10uOBrfaxImT7S+vDaD5y0M0jz9
Tkxj/ry6UB78CNeRyl9SBmM+lCFAISxlZJt6VR85EVxD50PI5DjeK+xYAd8CKimr
v5vbycDQhFnd7dztIyAVOcTm/77PpYVqc1TJxPBKPPa3p/ex6H83lD9kKgip1smQ
G65x4v9jISrTpL8Cd4ERcuJmVBNVwCaKJxS5xjzhNs76gW3LeG0uxYADFMtmK2s3
H2XagAOn+pfPFUOA6CA+YaZzWcv0qL9PrRgoW4safcsCGAHxkop/9Ue1PvWMPGWc
kmnUshRcY8xjRvacwBQwu5YHc/4DDA==
-----END CERTIFICATE-----
0:d=0 hl=4 l=1794 cons: SEQUENCE
4:d=1 hl=4 l=1258 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 9 prim: INTEGER :FE615D033A97727E
24:d=2 hl=2 l= 13 cons: SEQUENCE
26:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
37:d=3 hl=2 l= 0 prim: NULL
39:d=2 hl=3 l= 137 cons: SEQUENCE
42:d=3 hl=2 l= 11 cons: SET
44:d=4 hl=2 l= 9 cons: SEQUENCE
46:d=5 hl=2 l= 3 prim: OBJECT :countryName
51:d=5 hl=2 l= 2 prim: PRINTABLESTRING :GB
55:d=3 hl=2 l= 15 cons: SET
57:d=4 hl=2 l= 13 cons: SEQUENCE
59:d=5 hl=2 l= 3 prim: OBJECT :localityName
64:d=5 hl=2 l= 6 prim: PRINTABLESTRING :London
72:d=3 hl=2 l= 47 cons: SET
74:d=4 hl=2 l= 45 cons: SEQUENCE
76:d=5 hl=2 l= 3 prim: OBJECT :organizationName
81:d=5 hl=2 l= 38 prim: PRINTABLESTRING :Candler Insecure Certificate
Authority
121:d=3 hl=2 l= 27 cons: SET
123:d=4 hl=2 l= 25 cons: SEQUENCE
125:d=5 hl=2 l= 3 prim: OBJECT :commonName
130:d=5 hl=2 l= 18 prim: PRINTABLESTRING :root.ca.linnet.org
150:d=3 hl=2 l= 27 cons: SET
152:d=4 hl=2 l= 25 cons: SEQUENCE
154:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
165:d=5 hl=2 l= 12 prim: IA5STRING :[EMAIL PROTECTED]
179:d=2 hl=2 l= 30 cons: SEQUENCE
181:d=3 hl=2 l= 13 prim: UTCTIME :060227094845Z
196:d=3 hl=2 l= 13 prim: UTCTIME :160225094845Z
211:d=2 hl=3 l= 137 cons: SEQUENCE
214:d=3 hl=2 l= 11 cons: SET
216:d=4 hl=2 l= 9 cons: SEQUENCE
218:d=5 hl=2 l= 3 prim: OBJECT :countryName
223:d=5 hl=2 l= 2 prim: PRINTABLESTRING :GB
227:d=3 hl=2 l= 15 cons: SET
229:d=4 hl=2 l= 13 cons: SEQUENCE
231:d=5 hl=2 l= 3 prim: OBJECT :localityName
236:d=5 hl=2 l= 6 prim: PRINTABLESTRING :London
244:d=3 hl=2 l= 47 cons: SET
246:d=4 hl=2 l= 45 cons: SEQUENCE
248:d=5 hl=2 l= 3 prim: OBJECT :organizationName
253:d=5 hl=2 l= 38 prim: PRINTABLESTRING :Candler Insecure Certificate
Authority
293:d=3 hl=2 l= 27 cons: SET
295:d=4 hl=2 l= 25 cons: SEQUENCE
297:d=5 hl=2 l= 3 prim: OBJECT :commonName
302:d=5 hl=2 l= 18 prim: PRINTABLESTRING :root.ca.linnet.org
322:d=3 hl=2 l= 27 cons: SET
324:d=4 hl=2 l= 25 cons: SEQUENCE
326:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
337:d=5 hl=2 l= 12 prim: IA5STRING :[EMAIL PROTECTED]
351:d=2 hl=4 l= 546 cons: SEQUENCE
355:d=3 hl=2 l= 13 cons: SEQUENCE
357:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
368:d=4 hl=2 l= 0 prim: NULL
370:d=3 hl=4 l= 527 prim: BIT STRING
901:d=2 hl=4 l= 361 cons: cont [ 3 ]
905:d=3 hl=4 l= 357 cons: SEQUENCE
909:d=4 hl=2 l= 29 cons: SEQUENCE
911:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
916:d=5 hl=2 l= 22 prim: OCTET STRING
940:d=4 hl=3 l= 190 cons: SEQUENCE
943:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
948:d=5 hl=3 l= 182 prim: OCTET STRING
1133:d=4 hl=2 l= 15 cons: SEQUENCE
1135:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1140:d=5 hl=2 l= 1 prim: BOOLEAN :255
1143:d=5 hl=2 l= 5 prim: OCTET STRING
1150:d=4 hl=2 l= 17 cons: SEQUENCE
1152:d=5 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
1163:d=5 hl=2 l= 4 prim: OCTET STRING
1169:d=4 hl=2 l= 9 cons: SEQUENCE
1171:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Issuer Alternative Name
1176:d=5 hl=2 l= 2 prim: OCTET STRING
1180:d=4 hl=2 l= 43 cons: SEQUENCE
1182:d=5 hl=2 l= 9 prim: OBJECT :Netscape Comment
1193:d=5 hl=2 l= 30 prim: OCTET STRING
1225:d=4 hl=2 l= 23 cons: SEQUENCE
1227:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
1232:d=5 hl=2 l= 16 prim: OCTET STRING
1250:d=4 hl=2 l= 14 cons: SEQUENCE
1252:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1257:d=5 hl=2 l= 1 prim: BOOLEAN :255
1260:d=5 hl=2 l= 4 prim: OCTET STRING
1266:d=1 hl=2 l= 13 cons: SEQUENCE
1268:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
1279:d=2 hl=2 l= 0 prim: NULL
1281:d=1 hl=4 l= 513 prim: BIT STRING
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
