On Tue, May 16, 2006, Phil Dibowitz wrote: > OpenSSL folks, > > I'm having an issue when making an intermediate CA. > > As I understand the specs (and please, correct me if I'm wrong), a root > (i.e. self-signed) CA can be a v1 certificate, but intermediate CAs must: > (a) be v3 > (b) have SubjectKeyIdentifier > (c) have AuthorityKeyIdentifier > (d) have BasicKeyConstraints >
Is there some reason why you want the root CA to be V1? It is better if it is V3 too. Depends on the spec you read as to whether those are mandatory. In some specs SKID/AKID is recommended but not mandatory. In fact it is AKID that is causing the problem: see below. BasicConstraints (not "BasicKeyConstraints") is mandatory though because that indicates the intermediate certificte is a valid CA. > Based on that I have a CA that is self-signed with only > crlDistributionPoint in it. I'm trying to create an intermediate CA with > the above extensions in it and I'm having a problem. I have this in my > config: > Well if you have an extension then it can't be a v1 certificate. > [ v3_ca ] > basicConstraints = CA:TRUE > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > > But when I run: > openssl ca -config openssl.cnf -extensions v3_ca -infiles \ > certreqs/sub_ca.csr > > I get: > Using configuration from openssl.cnf > Check that the request matches the signature > Signature ok > ERROR: adding extensions in section usr_cert > 32587:error:2207707B:X509 V3 routines:V2I_AUTHORITY_KEYID:unable to > get issuer keyid:v3_akey.c:151: > 32587:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in > extension:v3_conf.c:92:name=authorityKeyIdentifier, > value=keyid:always > > I have a similar setup using a non-openssl solution, thus I'm fairly > sure what I want to do is possible, I'm just missing something. Any help > would be greatly appreciated. > Your problem is that you are telling OpenSSL to include the AKID extension by copying the SKID from the issuing CA. That CA doesn't have an SKID extension so it gives the error. Either remove that extension from the config file or include SKID in the root CA. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
