Yes I did. I had to install that yesterday also in order for the subordinate to trust the root.
I was reading on the web site (specifically on this web page: http://www.openssl.org/docs/apps/x509v3_config.html# ) It would seem to indicate one should modify the basicConstraints lines in the openssl.cnf file, but again I am not terribly familiar with this option. The only things I have modified in my openssl.cnf file so far are the lines to include email address, location, directory structure , changed policy fields to optional, and the key size. If I am understanding this correctly, the OpenSSL root issued the certificate as a simple 'machine' cert, not as a subordinate CA. Am I on the right track? Aaron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, December 28, 2006 11:55 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates On Thu, Dec 28, 2006, Aaron Barnes wrote: > I think we're making some progress with resolving this problem. I > signed a new request with the switch you mentioned and loaded it onto > the subordinate. I don't receive the old ASN1 error, which is good, > but now I've received one I've never seen before, "A certificate's > basic constraint extension has not been observed." Does this mean I > may have something configured incorrectly in the openssl.cnf file? > Did you install a root CA onto that system too? If so that might be a problem depending on how you created it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
