Jerry, When you create the intermediate certificate, you need to add the following attribute :-
basicConstraints=CA:true Otherwise, the intermediate CA certificate can not issue server certificates. Best regards, John Mok On Thu, Nov 27, 2014 at 3:43 PM, Jerry OELoo <oylje...@gmail.com> wrote: > Hi All: > Now I want to create a certificate chain by myself. > It will looks like as below: > > Server Certificate -> Intermediate CA -> Root CA. > > Now I am using openssl command to create these certificate files. > > > # Create CA > openssl genrsa -out ca.key 4096 > openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt > > # Create Intermediate > openssl genrsa -out intermediate.key 4096 > openssl req -new -sha1 -key intermediate.key -out intermediate.csr > > # CA signs Intermediate > openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey > ca.key -set_serial 01 -out intermediate.crt > > # Create Server > openssl genrsa -out test.example.com.key 4096 > openssl req -new -key test.example.com.key -out test.example.com.csr > > # Intermediate signs Server > openssl x509 -req -days 1825 -in test.example.com.csr -CA > intermediate.crt -CAkey intermediate.key -set_serial 01 -out > test.example.com.crt > > > Now I install ca.crt into WIndows7 local Trust Root Store. when I open > test.example.com.crt file, I can see "Certificate chain" in > "Certification Path". > > But I get 1 warning information on intermediate certificate "This > certification authority is not allowed to issue certificates or cannot > be used as an end-entity certificate." > > From search, I think this is because intermediate certificate/key is > not a correct intermediate CA that it can not sign > "test.example.com.crt". > > Please kindly give me some suggestion about how to use openssl command > to sign "test.example.com.crt" with intermediate CA. Thanks! > > -- > Rejoice,I Desire! > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org