How to set CA:TRUE, in an existing cert
Hi to everyone on the list, Please help me figure out this. I'm trying to add the CA:TRUE constraint to one of my existing cert (the GTE CyberTrust Global Root, actually, can be downloaded here: http://ugykezelo.elte.hu/files/gte-cybertrust-global-root.crt ). I found in a different cert, that when I issue the $ openssl x509 -text -in good-ca-cert.crt command, it includes the following info: X509v3 Basic Constraints: CA:TRUE And the GTE cert lacks in this. Explanation why I need this: I'm trying to install a CA cert on my Android phone, to use my university WiFi account, via http://www.realmb.com/droidCert/ I would need to install the GTE CyberTrust Root cert, but it is getting registered as a client cert, not a CA one. If I try to install one with CA:TRUE, then it's working properly. Can you tell me how to add this CA:TRUE propery to a certificate? Thanks in advance, --Attila __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] How to set CA:TRUE, in an existing cert
Hello, Hodie IV Id. Mai. MMX, Darázs Attila scripsit: Please help me figure out this. I'm trying to add the CA:TRUE constraint to one of my existing cert (the GTE CyberTrust Global Root, actually, can be downloaded here: http://ugykezelo.elte.hu/files/gte-cybertrust-global-root.crt ). First, you can't modify an existing certificate without invalidating its signature. Second, this certificate is a V1 one, and extensions were added to V3 of the X.509 standard. You can't then add the basicConstraints extension. Explanation why I need this: I'm trying to install a CA cert on my Android phone, to use my university WiFi account, via http://www.realmb.com/droidCert/ I would need to install the GTE CyberTrust Root cert, but it is getting registered as a client cert, not a CA one. If I try to install one with CA:TRUE, then it's working properly. -- Erwann ABALEA erwann.aba...@keynectis.com - Computers can never replace human stupidity. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] How to set CA:TRUE, in an existing cert
So basically if I don't find a cert with the correct options, I'm screwed. Thank you for the explanation. Attila 2010/5/12 Erwann ABALEA erwann.aba...@keynectis.com: Hello, Hodie IV Id. Mai. MMX, Darázs Attila scripsit: Please help me figure out this. I'm trying to add the CA:TRUE constraint to one of my existing cert (the GTE CyberTrust Global Root, actually, can be downloaded here: http://ugykezelo.elte.hu/files/gte-cybertrust-global-root.crt ). First, you can't modify an existing certificate without invalidating its signature. Second, this certificate is a V1 one, and extensions were added to V3 of the X.509 standard. You can't then add the basicConstraints extension. Explanation why I need this: I'm trying to install a CA cert on my Android phone, to use my university WiFi account, via http://www.realmb.com/droidCert/ I would need to install the GTE CyberTrust Root cert, but it is getting registered as a client cert, not a CA one. If I try to install one with CA:TRUE, then it's working properly. -- Erwann ABALEA erwann.aba...@keynectis.com - Computers can never replace human stupidity. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to set CA:TRUE, in an existing cert
I'm trying to install a CA cert on my Android phone, to use my university WiFi account, via http://www.realmb.com/droidCert/ I would need to install the GTE CyberTrust Root cert, but it is getting registered as a client cert, not a CA one. If I try to install one with CA:TRUE, then it's working properly. Can you tell me how to add this CA:TRUE propery to a certificate? Make your own root, and then cross-certify the GTE public key and id adding the appropriate extensions. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org