I have given the command
openssl x509 -req -days 365 -in intermediate.csr -CA root.certkey
-CAcreateserial -out intermediate.crt -extensions usr_cert -extfile
/etc/sll/openssl.cnf
after creating the root CA, the root.certkey is having key and crt files.Is
this command enough for creating the intermediate CA.
if i create a user certificate with this intermediate CA.In SSL
authentication it is giving error 24,Unknown CA.
In client machine i installed all the certificates root CA and Intermediate
CA and client certificate.It is showing clear
hierarchy.ROOTintermediate.client.
i copied the root and intermediate certificates in /etc/ssl/certs and did
c_rehash.BUT with the intermediate client certificate ,client could able to
authenticate and showing the ERROR 24 and UNKNOWN CA.if i provide any other
root ca , the client can be able to authenticate with that root CA client
certificate.please help me...
Bynum, Don wrote:
This should be good for most purposes. Note the basicConstraints
attribute of pathlen. Unlike the root CA which has no pathlen, the
intermediate has a pathlen of 0.
###
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http:
//crl2.somedomain.com/IntCA.crl
basicConstraints = critical, CA:true,pathlen:0
keyUsage=critical, keyCertSign,cRLSign
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection,
timeStamping
nsCertType = server, client
certificatePolicies=ia5org,@polsect1
[polsect1]
policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1
CPS=http://www.somedomain.com/legal/cps-intCA.pdf
###
Donald E. Bynum
Director, Architecture Integration
O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mallika
Sent: Thursday, September 20, 2007 4:06 AM
To: openssl-users@openssl.org
Subject: intermediate CA configuration
i want to create intermediate CA from root CA by using openssl.cnf. how
to configure openssl.cnf file for creating intermediate ca which
contains all attributes like root ca which is having obj
signing,certificate revocation...can any body help me
--
View this message in context:
http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1279
2609
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a12810885
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]