-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Naveen Rawat Sent: Saturday, July 07, 2007 9:51 AM To: openssl-users@openssl.org Subject: Certificate profile issue
Hi all, I am trying to create a common CA hierarchy like : [root] | |-----[CA1] | |--------[CA2] For this I have got the [root] certificate generated through the openssl command prompt. The certificates for the rest in the hierarchy have the following basic profiles, and are generated using OpenSSL libs: [CA1] basicConstraints = critical,CA:TRUE,pathlen:2 keyUsage = keyCertSign extendedKeyUsage = trustRoot subjectKeyIdentifier = hash [CA2] basicConstraints = critical,CA:TRUE,pathlen:1 //there could be one more ca after [CA2]; so pathlen=1 keyUsage = keyCertSign extendedKeyUsage = trustRoot subjectKeyIdentifier = hash Now the generated CA chain shows (with MSIE 6.0.2900.2180) well upto the [CA1]. The [CA1] certificate is well attached with [root]'s and simultaneouly shows this in its status:: """This certification authority does not appear to be allowed to issue certificates or cannot be used as an end-entity certificate.""" and it breaks my CA chain upto [CA2]. Though following a basic one, am I still lacking something important in the chosen certificate profiles. If I can be suggested some other suitable profile settings which go with my need to create a simple certification authority hierarchy? Its tough going for a newbie here. I thank in advance to all who effort to make it easy for me. Warm Regards, Naveen You require a 'trusted root certificate' from a certificate authority which browsers recognize. http://www.google.com/search?hl=en&q=ssl+certificate+authority&btnG=Search lh..
smime.p7s
Description: S/MIME cryptographic signature