On Wed, Dec 20, 2006, Sudhakar wrote: > Hi, > > I am facing a problem with chain of certs. > > I have used the following commands for creating chain of certs ( > servercert2.pem will have its cert signed by servercert.pem which is inturn > signed by rootcert.pem): > > openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem > openssl x509 -req -in rootreq.pem -sha1 -days 1000 -signkey rootkey.pem -out > rootcert.pem > openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem > openssl x509 -req -in serverreq.pem -sha1 -days 1000 -CA rootcert.pem -CAkey > rootkey.pem -CAcreateserial -out servercert.pem > openssl req -newkey rsa:1024 -sha1 -keyout serverkey2.pem -out > serverreq2.pem > openssl x509 -req -in serverreq2.pem -sha1 -days 1000 -CA > servercert.pem-CAkey > serverkey.pem -CAcreateserial -out servercert2.pem > cat servercert.pem >> servercert2.pem > cat rootcert.pem >> servercert2.pem > > I assume, at the end of these commands servercert2.pem will have a chain of > certs. >
Yes but not a valid chain of certificates. You cannot treat a server certificate as a CA certifcate because that would mean anyone could be a CA and bad things(TM) would happen. None of the above certificate signing commands include any extensions. The configuration file and extension section needs to be explicitly included on the command line. For example: -extfile /path/to/openssl.cnf -extensions <section> where <section> is v3_ca for the CAs and usr_cert for the server certificate. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
