This should be good for most purposes. Note the basicConstraints attribute of pathlen. Unlike the root CA which has no pathlen, the intermediate has a pathlen of 0.
### subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http: //crl2.somedomain.com/IntCA.crl basicConstraints = critical, CA:true,pathlen:0 keyUsage=critical, keyCertSign,cRLSign extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1 CPS=http://www.somedomain.com/legal/cps-intCA.pdf ### Donald E. Bynum Director, Architecture & Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Thursday, September 20, 2007 4:06 AM To: openssl-users@openssl.org Subject: intermediate CA configuration i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me.... -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1279 2609 Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]