On Thu, Dec 28, 2006, Aaron Barnes wrote: > I think I see what you're getting at now. I reviewed the text of the > root and the subordinate certs; the root does NOT have the CA:TRUE > (false obviously), the subordinate does have CA:TRUE. So I guess this > tells me I must have installed the root CA incorrectly. > > I didn't use CA.pl, but rather CA.sh. I'll list each step I did to set > up OpenSSL and the root. > > 1. ./config > 2. make > 3. make test > 4. make install > 5. ./CA.sh -newca > 6. ./CA.sh -sign > > It sounds like I'll probably need to redo the root setup, but let me > know if there is an adjustment I need to make based on how many tiers I > want to set up in the overall PKI. > I'll also email you copies of the certificates separately.
Yes the root CA has basicConstraints CA:FALSE on it which is causing the error. I'd suggest you redo the root CA and the subordinate using CA.pl: CA.sh is an older script that isn't maintained any more. The command CA.pl -signCA automatically signs a request as a CA instead of an end entity cert. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
