Hi,
I am trying to create a certificate chain that I intend to use for signing
SSL/TLS host certificates. The chain consists of a self-signed
root certificate, and an intermediate certificate which will be used to sign
the actual server certificates.
The root certificate looks like this:
bash-4.0$ openssl x509 -noout -text -nameopt oneline,-esc_msb,utf8 -certopt
no_pubkey,no_sigdump -purpose -in
cacert/root_ca.pemCertificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU =
Network Administration, CN = Köller Family Root Signing
Certificate
Validity
Not Before: Feb 6 00:03:53 2013 GMT
Not After : Jun 6 00:03:53 2060 GMT
Subject: C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU =
Network Administration, CN = Köller Family Root Signing
Certificate
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Key Usage: critical
Certificate Sign
Trusted Uses:
TLS Web Client Authentication, TLS Web Server Authentication, E-mail
Protection
No Rejected Uses.
Alias: Root Signing Certificate
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : No
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
And here is the intermediate certificate:
bash-4.0$ openssl x509 -noout -text -nameopt oneline,-esc_msb,utf8 -certopt
no_pubkey,no_sigdump -purpose -in cacert/host_ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU =
Network Administration, CN = Köller Family Root Signing
Certificate
Validity
Not Before: Feb 6 00:03:53 2013 GMT
Not After : Jun 5 23:59:59 2059 GMT
Subject: C = DE, ST = Hamburg, O = Köller Family, OU = Köller Family
Certification Authority, CN = Köller Family Host Signing
Certificate
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
To me, this looks just as I would expect, however, if I try to validate the
chain, I get an error message:
bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose
sslserver cacert/host_ca.pem
cacert/host_ca.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU =
K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller Family
Host Signing Certificate
error 26 at 0 depth lookup:unsupported certificate purpose
OK
Can anybody tell why I am getting this error, and what I should do about it?
Thanks,
Thomas
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]