Hi all,
I am trying to create a common CA hierarchy like :
[root]
|
|-----[CA1]
|
|--------[CA2]
For this I have got the [root] certificate generated through the openssl
command prompt.
The certificates for the rest in the hierarchy have the following basic
profiles, and are generated using OpenSSL libs:
[CA1]
basicConstraints = critical,CA:TRUE,pathlen:2
keyUsage = keyCertSign
extendedKeyUsage = trustRoot
subjectKeyIdentifier = hash
[CA2]
basicConstraints = critical,CA:TRUE,pathlen:1
//there could be one more ca after [CA2]; so pathlen=1
keyUsage = keyCertSign
extendedKeyUsage = trustRoot
subjectKeyIdentifier = hash
Now the generated CA chain shows (with MSIE 6.0.2900.2180) well upto the
[CA1]. The [CA1] certificate is well attached with [root]'s and
simultaneouly shows this in its status::
"""This certification authority does not appear to be allowed to issue
certificates or cannot be used as an end-entity certificate."""
and it breaks my CA chain upto [CA2].
Though following a basic one, am I still lacking something important in the
chosen certificate profiles.
If I can be suggested some other suitable profile settings which go with my
need to create a simple certification authority hierarchy?
Its tough going for a newbie here. I thank in advance to all who effort to
make it easy for me.
Warm Regards,
Naveen
