On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote: > Since you didn't include the root CA it isn't possible to say why it isn't > excluded. > > I notice the small serial numbers in the certificates and some invalid > extensions in there. I'd suggest using the CA.pl script (if you use OpenSSL > 0.9.8 get it from a recent snapshot: the included one is buggy) instead.
The root certificate is attached below. I also tried appending this to my server.example.com-cert.pem (so there were three certificates in all), but that didn't make a difference. Is it correct of me simply to concatenate the server certificate together with the sub-CA certificate and the root certificate? Or should TinyCA have created a certificate which incorporates the whole chain itself? Or does the application use some other mechanism to assemble the chain from the constituent certificates? I'm afraid I'm not sufficiently PKCS#7-savvy to know what a real certificate at the bottom of a chain should look like. I think that the small serial numbers are intentional; these are the first certificates issued by the root CA and the sub CA respectively, and openssl creates them as newcerts/01.pem. However, I note that the root self-signed certificate does seem to have a very large serial number. I can try doing everything from scratch using openssl commands solely, but TinyCA itself is just a set of perl scripts which call openssl req/ca as required. Do you think TinyCA is invoking openssl wrongly in this case? Regards, Brian. -----BEGIN CERTIFICATE----- MIIHAjCCBOqgAwIBAgIJAP5hXQM6l3J+MA0GCSqGSIb3DQEBBAUAMIGJMQswCQYD VQQGEwJHQjEPMA0GA1UEBxMGTG9uZG9uMS8wLQYDVQQKEyZDYW5kbGVyIEluc2Vj dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTEbMBkGA1UEAxMScm9vdC5jYS5saW5u ZXQub3JnMRswGQYJKoZIhvcNAQkBFgxjYUBsaW5uZXQub2cwHhcNMDYwMjI3MDk0 ODQ1WhcNMTYwMjI1MDk0ODQ1WjCBiTELMAkGA1UEBhMCR0IxDzANBgNVBAcTBkxv bmRvbjEvMC0GA1UEChMmQ2FuZGxlciBJbnNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRo b3JpdHkxGzAZBgNVBAMTEnJvb3QuY2EubGlubmV0Lm9yZzEbMBkGCSqGSIb3DQEJ ARYMY2FAbGlubmV0Lm9nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA 86u5sSM8mxdIhuTOZbOtr2mkUOzjINQTVqIWR7mLmaCNyz5Zvqd2Pu4DjwrRadko zVrtxlG2C1kwd9zUEB0MaRkrOL6EdaQNxNZ7OIoP+JYPAKzSlwcu6wiIFsYZZ9Zg QCs150kw9CYfofjsC5NHWetfogJvnKtseqBfQt5Ohl3SGM26/JQpMF0GpJWL/U4L GBvWsRKZRlTHAAWWv8AAOFPgLEfTgLKvOPNHUxoG+TDH2CtNfQO5DpxacB4WFKPP 5NSmVu5bxWWqalU07J0xuv+KlLRdJZ0ZORLaxq919ezxVCjwVfqv80Y6LzzwgZsz 9kIlWoN+N3U3SA8gVuOcrdUmh/HRIs4YkSjeaqfF0n91YNMwdMvipKmX0OeinujK eNEvT16JAGjUaveTQulvPkWDhV7evXh1yGv5HFfoIp/N6zGAKBr2uZDtgd6vnXlU eRLMXAtokbCkB+Rd7el4SBO0ZgeUTA2chZNjtv17mbWZQR0NQsMdYgOO4oc/MEoa ZwaesMec0iLNtCpSq2TyxikkC0qAcirv/a4Qqbb35DXdSRiXS11A11pDTQdGqKBY u9RZTTCk2JYkxcLC8DLf2BsK/NBrb+WV24fyLOelbbhBUyQoxvF0vkhO2MdDfjns yr8UBF6IqYvhPmHTNSx9WJXfkLU2HyI0n7QZ/lvjipsCAwEAAaOCAWkwggFlMB0G A1UdDgQWBBRc63ElpozI5U1LsApJkx5YAYl3HjCBvgYDVR0jBIG2MIGzgBRc63El pozI5U1LsApJkx5YAYl3HqGBj6SBjDCBiTELMAkGA1UEBhMCR0IxDzANBgNVBAcT BkxvbmRvbjEvMC0GA1UEChMmQ2FuZGxlciBJbnNlY3VyZSBDZXJ0aWZpY2F0ZSBB dXRob3JpdHkxGzAZBgNVBAMTEnJvb3QuY2EubGlubmV0Lm9yZzEbMBkGCSqGSIb3 DQEJARYMY2FAbGlubmV0Lm9nggkA/mFdAzqXcn4wDwYDVR0TAQH/BAUwAwEB/zAR BglghkgBhvhCAQEEBAMCAQYwCQYDVR0SBAIwADArBglghkgBhvhCAQ0EHhYcVGlu eUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAXBgNVHREEEDAOgQxjYUBsaW5uZXQu b2cwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4ICAQBwVm4ODxvvF5GU qrIpPA9IF1JY2jIwgK9E3tGNmoULAUKPyx4hqHpma/h88c8ZIDZ1/CPfnIgC4doE htSdBlErZ9aqj3ZRfhVeVoeHdEHp+xC+qHxAVeFgaSm6sa6NM2Obj1h+YECw+YeO Vm826GT3/Pw40BI5U0UmIbeIivf+i3zGttQruo/JmE2XM+gOCjeKu1v4T189DcAm Dlrc24K06CMwI/ZpTuexEWtWC5W3ASaxO14Liq8iDgd2x1y61zlyEYCITkXYWwos wmlrbIc77NfIzO/fFgy+bOaJCP7R4Uz5L5zdqbmqdvhgeREJJTNX2CDVxDvaDVy2 bJQh8NMnPIAfP5kBJ9Ps6o646HwLwzD4LNPsA10uOBrfaxImT7S+vDaD5y0M0jz9 Tkxj/ry6UB78CNeRyl9SBmM+lCFAISxlZJt6VR85EVxD50PI5DjeK+xYAd8CKimr v5vbycDQhFnd7dztIyAVOcTm/77PpYVqc1TJxPBKPPa3p/ex6H83lD9kKgip1smQ G65x4v9jISrTpL8Cd4ERcuJmVBNVwCaKJxS5xjzhNs76gW3LeG0uxYADFMtmK2s3 H2XagAOn+pfPFUOA6CA+YaZzWcv0qL9PrRgoW4safcsCGAHxkop/9Ue1PvWMPGWc kmnUshRcY8xjRvacwBQwu5YHc/4DDA== -----END CERTIFICATE----- 0:d=0 hl=4 l=1794 cons: SEQUENCE 4:d=1 hl=4 l=1258 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 9 prim: INTEGER :FE615D033A97727E 24:d=2 hl=2 l= 13 cons: SEQUENCE 26:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 37:d=3 hl=2 l= 0 prim: NULL 39:d=2 hl=3 l= 137 cons: SEQUENCE 42:d=3 hl=2 l= 11 cons: SET 44:d=4 hl=2 l= 9 cons: SEQUENCE 46:d=5 hl=2 l= 3 prim: OBJECT :countryName 51:d=5 hl=2 l= 2 prim: PRINTABLESTRING :GB 55:d=3 hl=2 l= 15 cons: SET 57:d=4 hl=2 l= 13 cons: SEQUENCE 59:d=5 hl=2 l= 3 prim: OBJECT :localityName 64:d=5 hl=2 l= 6 prim: PRINTABLESTRING :London 72:d=3 hl=2 l= 47 cons: SET 74:d=4 hl=2 l= 45 cons: SEQUENCE 76:d=5 hl=2 l= 3 prim: OBJECT :organizationName 81:d=5 hl=2 l= 38 prim: PRINTABLESTRING :Candler Insecure Certificate Authority 121:d=3 hl=2 l= 27 cons: SET 123:d=4 hl=2 l= 25 cons: SEQUENCE 125:d=5 hl=2 l= 3 prim: OBJECT :commonName 130:d=5 hl=2 l= 18 prim: PRINTABLESTRING :root.ca.linnet.org 150:d=3 hl=2 l= 27 cons: SET 152:d=4 hl=2 l= 25 cons: SEQUENCE 154:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 165:d=5 hl=2 l= 12 prim: IA5STRING :[EMAIL PROTECTED] 179:d=2 hl=2 l= 30 cons: SEQUENCE 181:d=3 hl=2 l= 13 prim: UTCTIME :060227094845Z 196:d=3 hl=2 l= 13 prim: UTCTIME :160225094845Z 211:d=2 hl=3 l= 137 cons: SEQUENCE 214:d=3 hl=2 l= 11 cons: SET 216:d=4 hl=2 l= 9 cons: SEQUENCE 218:d=5 hl=2 l= 3 prim: OBJECT :countryName 223:d=5 hl=2 l= 2 prim: PRINTABLESTRING :GB 227:d=3 hl=2 l= 15 cons: SET 229:d=4 hl=2 l= 13 cons: SEQUENCE 231:d=5 hl=2 l= 3 prim: OBJECT :localityName 236:d=5 hl=2 l= 6 prim: PRINTABLESTRING :London 244:d=3 hl=2 l= 47 cons: SET 246:d=4 hl=2 l= 45 cons: SEQUENCE 248:d=5 hl=2 l= 3 prim: OBJECT :organizationName 253:d=5 hl=2 l= 38 prim: PRINTABLESTRING :Candler Insecure Certificate Authority 293:d=3 hl=2 l= 27 cons: SET 295:d=4 hl=2 l= 25 cons: SEQUENCE 297:d=5 hl=2 l= 3 prim: OBJECT :commonName 302:d=5 hl=2 l= 18 prim: PRINTABLESTRING :root.ca.linnet.org 322:d=3 hl=2 l= 27 cons: SET 324:d=4 hl=2 l= 25 cons: SEQUENCE 326:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 337:d=5 hl=2 l= 12 prim: IA5STRING :[EMAIL PROTECTED] 351:d=2 hl=4 l= 546 cons: SEQUENCE 355:d=3 hl=2 l= 13 cons: SEQUENCE 357:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 368:d=4 hl=2 l= 0 prim: NULL 370:d=3 hl=4 l= 527 prim: BIT STRING 901:d=2 hl=4 l= 361 cons: cont [ 3 ] 905:d=3 hl=4 l= 357 cons: SEQUENCE 909:d=4 hl=2 l= 29 cons: SEQUENCE 911:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 916:d=5 hl=2 l= 22 prim: OCTET STRING 940:d=4 hl=3 l= 190 cons: SEQUENCE 943:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 948:d=5 hl=3 l= 182 prim: OCTET STRING 1133:d=4 hl=2 l= 15 cons: SEQUENCE 1135:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 1140:d=5 hl=2 l= 1 prim: BOOLEAN :255 1143:d=5 hl=2 l= 5 prim: OCTET STRING 1150:d=4 hl=2 l= 17 cons: SEQUENCE 1152:d=5 hl=2 l= 9 prim: OBJECT :Netscape Cert Type 1163:d=5 hl=2 l= 4 prim: OCTET STRING 1169:d=4 hl=2 l= 9 cons: SEQUENCE 1171:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Issuer Alternative Name 1176:d=5 hl=2 l= 2 prim: OCTET STRING 1180:d=4 hl=2 l= 43 cons: SEQUENCE 1182:d=5 hl=2 l= 9 prim: OBJECT :Netscape Comment 1193:d=5 hl=2 l= 30 prim: OCTET STRING 1225:d=4 hl=2 l= 23 cons: SEQUENCE 1227:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name 1232:d=5 hl=2 l= 16 prim: OCTET STRING 1250:d=4 hl=2 l= 14 cons: SEQUENCE 1252:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 1257:d=5 hl=2 l= 1 prim: BOOLEAN :255 1260:d=5 hl=2 l= 4 prim: OCTET STRING 1266:d=1 hl=2 l= 13 cons: SEQUENCE 1268:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 1279:d=2 hl=2 l= 0 prim: NULL 1281:d=1 hl=4 l= 513 prim: BIT STRING ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]