First thx for the quick answer.
The commands that I had been using are Openssl commands directly no perl scripts:
Creation of root CA:
openssl req -new -x509 -days 10095 -out cacert.pem -key cakey.pem -config ./openssl.cnf
openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der (IE ready root certificate).
Creation of a user-server certificate for testing pourposes:
openssl genrsa -rand ./private/.rand.dat -des3 1024 > test.key
openssl req -new -config ./openssl.cnf -key test.key -out test.csr
openssl ca -config ./openssl.cnf -in trasto.csr -out trasto.pem
Till here everything works.
Creation of the SubCA.
1.- I had created a new openssl cofiguration file called openssl2.cnf, and I had add the following lines to [ v3_ca ], the rest of the file is identical to the original:
basicConstraints=CA:TRUE,pathlen:5
keyUsage = cRLSign, keyCertSign,nonRepudiation, digitalSignature, keyEncipherment
2.- Generation of the new subca in a diferent directory:
openssl genrsa -rand ./private/.rand.dat -des3 2048 -out cakey2.pem
openssl req -new -extensions v3_ca -days 3650 -out cacert2.pem -key ./cakey2.pem -config ./openssl2.cnf
openssl ca -config ./openssl.cnf -in cacert2.csr -out cacert2.pem
openssl ca -config ./openssl2.cnf -in ./cacert2.csr -out cacert2.pem -keyfile ./cakey.pem -cert ./cacert.pem (this last 2 are the root CA key-cert)
openssl x509 -inform PEM -outform DER -in cacert2.pem -out cacert2.der
Now I could import this .der certificate in my browser-certs repository, and I could see it as a intermediate CA, and the root CA certificate in the correct windows repository.
But with this way I had to spread two certificates for the customers. And I was wondering if there is a way to spread only one file with the two certificates, already browsing the mailing lists I had found that pasting the root CA Cert and subCa cert directly with 'cat file1 file2 > file3 ' or others similars methods it would works, but not for me :(.
After that I had transform the PEM format to DER format and I had imported the file in a browser, but only see to be installed subCA certificate and it is not validated, because it is missing the root cacert.
If cat method works, It is mandatory the order???
The root CA certificate begins with the literal:
'=====Begin Certi...'
and the sub CA with Certificate:
Data:
It is a potential problem?
Thanks in advance.
At 17:48 05/04/2006, Dr. Stephen Henson wrote:
On Wed, Apr 05, 2006, Francisco Javier Martinez Martinez wrote:
> Hello world.
>
> I am getting crazy I can't find the solution.
>
> Could anyone be so kind of show me clues, examples, config files in order
> to make an intermediate CA?
>
> My scenario:
>
> I issue certificates with openssl line commands.
> I had issue a selfsigned CA root certificate and I could issue cert for
> servers,. etc, but i could not issue and sign a certficate to work as
> intermediate CA, it always issue me a server certificate.รงรง
>
You don't say which commands so it isn't easy to say which option you should
use.
If you use CA.pl then the -signCA option will work.
Otherwise you need to specify the configuration section v3_ca when you sign
the request.
Steve.
