OpenSSL folks, I'm having an issue when making an intermediate CA.
As I understand the specs (and please, correct me if I'm wrong), a root (i.e. self-signed) CA can be a v1 certificate, but intermediate CAs must: (a) be v3 (b) have SubjectKeyIdentifier (c) have AuthorityKeyIdentifier (d) have BasicKeyConstraints Based on that I have a CA that is self-signed with only crlDistributionPoint in it. I'm trying to create an intermediate CA with the above extensions in it and I'm having a problem. I have this in my config: [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always But when I run: openssl ca -config openssl.cnf -extensions v3_ca -infiles \ certreqs/sub_ca.csr I get: Using configuration from openssl.cnf Check that the request matches the signature Signature ok ERROR: adding extensions in section usr_cert 32587:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to get issuer keyid:v3_akey.c:151: 32587:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:92:name=authorityKeyIdentifier, value=keyid:always I have a similar setup using a non-openssl solution, thus I'm fairly sure what I want to do is possible, I'm just missing something. Any help would be greatly appreciated. Thanks, -- Phil Dibowitz P: 310-360-2330 C: 213-923-5115 Unix Admin, Ticketmaster.com
signature.asc
Description: OpenPGP digital signature