Hi Thank for your help. I learn a new thing every day. I really do not know there is a different between SERVER cert and Client cert. If I am have a self sign CA certificate, what is the different in option in openssl command which allow me to generate Server cert signed by my CA and Client cert ??? I have a script file which come from Network security with openSSL ( page 124) generate a root CA cert/key, server CA ( signed by root CA), server cert/key ( signed by server CA) and client cert/key ( signed by root CA). I look into openssl command and *.cnf files, but I do not see the different when generate Client or Server cert. I am lost. Please help.
TD -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Wednesday, July 04, 2007 5:52 To: openssl-users@openssl.org Subject: RE: Looking for command in openssl to verify CA Hello, > I try to Google for openssl x509 -purpose, but no information at all. > What is that ?? I try this command and it gives me : > > Certificate purpose: > SSL client : yes > SSL client CA: no > SSL server : no As you see, your SSL server certificate is not "certified" to this purpose. For SSL server certificate this should be "yes". You must get correct certificate. > SSL server CA: no > Netscape SSL server: No > Netscape SSL server CA: No > S/MINE signing: YES > S/MINE signing CA: NO > S/MINE encrytion: YES > S/MINE encrytion CA: NO > CRL signing: No > CRL signing CA: No > Any Purpose: Yes > Any Purpose CA: Yes > OCSP helper: Yes > OCSP helper CA: No This looks like end user certificate (mail, SSL client) but you need SSL server certificate. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]