Jerry,
When you create the intermediate certificate, you need to add the
following attribute :-
basicConstraints=CA:true
Otherwise, the intermediate CA certificate can not issue server certificates.
Best regards, John Mok
On Thu, Nov 27, 2014 at 3:43 PM, Jerry OELoo oylje...@gmail.com wrote:
Hi All:
Now I want to create a certificate chain by myself.
It will looks like as below:
Server Certificate - Intermediate CA - Root CA.
Now I am using openssl command to create these certificate files.
# Create CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
# Create Intermediate
openssl genrsa -out intermediate.key 4096
openssl req -new -sha1 -key intermediate.key -out intermediate.csr
# CA signs Intermediate
openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey
ca.key -set_serial 01 -out intermediate.crt
# Create Server
openssl genrsa -out test.example.com.key 4096
openssl req -new -key test.example.com.key -out test.example.com.csr
# Intermediate signs Server
openssl x509 -req -days 1825 -in test.example.com.csr -CA
intermediate.crt -CAkey intermediate.key -set_serial 01 -out
test.example.com.crt
Now I install ca.crt into WIndows7 local Trust Root Store. when I open
test.example.com.crt file, I can see Certificate chain in
Certification Path.
But I get 1 warning information on intermediate certificate This
certification authority is not allowed to issue certificates or cannot
be used as an end-entity certificate.
From search, I think this is because intermediate certificate/key is
not a correct intermediate CA that it can not sign
test.example.com.crt.
Please kindly give me some suggestion about how to use openssl command
to sign test.example.com.crt with intermediate CA. Thanks!
--
Rejoice,I Desire!
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org