-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[EMAIL PROTECTED] schrieb:
> PKI newbie in need of help.
Hello Steward,
> When I sign a SSL cert with my CA, the certification path only lists the
> web server. Not my SubCA or the Windows Root CA.
???
Which certification path do you mean ?
The certification path from the web server ?
What do you get with
openssl s_client -connect your.server.com:443
-CAfile file_containing_root.pem -verify 5 -showcerts
(in one line please...)
If you get only the host certificate,
you have to configure your server to send the intermediate cert.
> I generate my key
> # openssl genrsa -des3 -out /tmp/ca.key
>
> I generate a CSR from that key
> # openssl req -new -extensions v3_ca -days 3650 -key /tmp/ca.key -config
> openssl.cnf -out ca.csr
>
> Openssl has the following defined.
> [ v3_ca ]
> basicConstraints = CA:TRUE, pathlen:2
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer:always
Please, you generate a request.
A request has no lifetime.
And -extensions adds only extensions to certificates,
not requests.
You could try the -reqexts parameter,
but I don't believe the authorityKeyIdentifier will
work as expected...
(since the authority is not known at the moment the request is signed...)
> I send the CSR off to the windows folks who sign it and send it back.
> They assure me they are using the SubCA Template for this.
Without a look into the certificate it is not possible to determine
if the certificate is correct for your use case.
Bye
Goetz
- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE22+W2iGqZUF3qPYRAhBVAJ9G7NOcFR6EdOMpzFKBhCdudRE6SQCfUfep
koDlDXE+NbFxgtsyy2acPeU=
=e7pb
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
