I think we're making some progress with resolving this problem. I signed a new request with the switch you mentioned and loaded it onto the subordinate. I don't receive the old ASN1 error, which is good, but now I've received one I've never seen before, "A certificate's basic constraint extension has not been observed." Does this mean I may have something configured incorrectly in the openssl.cnf file?
One bit of good news though is that I no longer have to export the certificate into .der format; the .pem file worked just fine. Aaron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Wednesday, December 27, 2006 15:04 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates > Yes the signing command is incorrect. By default the certificate is an end entity certificate for OpenSSL not a CA certificate. Try the command line switch: -extensions v3_ca Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]