-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [EMAIL PROTECTED] schrieb: > PKI newbie in need of help.
Hello Steward, > When I sign a SSL cert with my CA, the certification path only lists the > web server. Not my SubCA or the Windows Root CA. ??? Which certification path do you mean ? The certification path from the web server ? What do you get with openssl s_client -connect your.server.com:443 -CAfile file_containing_root.pem -verify 5 -showcerts (in one line please...) If you get only the host certificate, you have to configure your server to send the intermediate cert. > I generate my key > # openssl genrsa -des3 -out /tmp/ca.key > > I generate a CSR from that key > # openssl req -new -extensions v3_ca -days 3650 -key /tmp/ca.key -config > openssl.cnf -out ca.csr > > Openssl has the following defined. > [ v3_ca ] > basicConstraints = CA:TRUE, pathlen:2 > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always,issuer:always Please, you generate a request. A request has no lifetime. And -extensions adds only extensions to certificates, not requests. You could try the -reqexts parameter, but I don't believe the authorityKeyIdentifier will work as expected... (since the authority is not known at the moment the request is signed...) > I send the CSR off to the windows folks who sign it and send it back. > They assure me they are using the SubCA Template for this. Without a look into the certificate it is not possible to determine if the certificate is correct for your use case. Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE22+W2iGqZUF3qPYRAhBVAJ9G7NOcFR6EdOMpzFKBhCdudRE6SQCfUfep koDlDXE+NbFxgtsyy2acPeU= =e7pb -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]