Please send me your extensions file, CA cert/Key and the CSR you are using for your intermediate. I am assuming that what you have so far is for testing purposes. Otherwise, I would not ask for the CA key (obviously). Send them to me as a zip file and I'll take a look.
Don. [EMAIL PROTECTED] Donald E. Bynum Director, Architecture & Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Friday, September 21, 2007 1:39 AM To: openssl-users@openssl.org Subject: RE: intermediate CA configuration I have given the command openssl x509 -req -days 365 -in intermediate.csr -CA root.certkey -CAcreateserial -out intermediate.crt -extensions usr_cert -extfile /etc/sll/openssl.cnf after creating the root CA, the root.certkey is having key and crt files.Is this command enough for creating the intermediate CA. if i create a user certificate with this intermediate CA.In SSL authentication it is giving error 24,Unknown CA. In client machine i installed all the certificates root CA and Intermediate CA and client certificate.It is showing clear hierarchy.ROOT........>intermediate.....>client. i copied the root and intermediate certificates in /etc/ssl/certs and did c_rehash.BUT with the intermediate client certificate ,client could able to authenticate and showing the ERROR 24 and UNKNOWN CA.if i provide any other root ca , the client can be able to authenticate with that root CA client certificate.please help me....... Bynum, Don wrote: > > This should be good for most purposes. Note the basicConstraints > attribute of pathlen. Unlike the root CA which has no pathlen, the > intermediate has a pathlen of 0. > > ### > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid:always > crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http: > //crl2.somedomain.com/IntCA.crl > basicConstraints = critical, CA:true,pathlen:0 keyUsage=critical, > keyCertSign,cRLSign extendedKeyUsage = serverAuth, clientAuth, > codeSigning, emailProtection, timeStamping nsCertType = server, client > > certificatePolicies=ia5org,@polsect1 > > [polsect1] > > policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1 > CPS=http://www.somedomain.com/legal/cps-intCA.pdf > ### > > > Donald E. Bynum > Director, Architecture & Integration > > > O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of mallika > Sent: Thursday, September 20, 2007 4:06 AM > To: openssl-users@openssl.org > Subject: intermediate CA configuration > > > i want to create intermediate CA from root CA by using openssl.cnf. > how to configure openssl.cnf file for creating intermediate ca which > contains all attributes like root ca which is having obj > signing,certificate revocation...can any body help me.... > -- > View this message in context: > http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a12 > 79 > 2609 > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1281 0885 Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]