RE: intermediate CA configuration
Please send me your extensions file, CA cert/Key and the CSR you are using for your intermediate. I am assuming that what you have so far is for testing purposes. Otherwise, I would not ask for the CA key (obviously). Send them to me as a zip file and I'll take a look. Don. [EMAIL PROTECTED] Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Friday, September 21, 2007 1:39 AM To: openssl-users@openssl.org Subject: RE: intermediate CA configuration I have given the command openssl x509 -req -days 365 -in intermediate.csr -CA root.certkey -CAcreateserial -out intermediate.crt -extensions usr_cert -extfile /etc/sll/openssl.cnf after creating the root CA, the root.certkey is having key and crt files.Is this command enough for creating the intermediate CA. if i create a user certificate with this intermediate CA.In SSL authentication it is giving error 24,Unknown CA. In client machine i installed all the certificates root CA and Intermediate CA and client certificate.It is showing clear hierarchy.ROOTintermediate.client. i copied the root and intermediate certificates in /etc/ssl/certs and did c_rehash.BUT with the intermediate client certificate ,client could able to authenticate and showing the ERROR 24 and UNKNOWN CA.if i provide any other root ca , the client can be able to authenticate with that root CA client certificate.please help me... Bynum, Don wrote: This should be good for most purposes. Note the basicConstraints attribute of pathlen. Unlike the root CA which has no pathlen, the intermediate has a pathlen of 0. ### subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http: //crl2.somedomain.com/IntCA.crl basicConstraints = critical, CA:true,pathlen:0 keyUsage=critical, keyCertSign,cRLSign extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1 CPS=http://www.somedomain.com/legal/cps-intCA.pdf ### Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Thursday, September 20, 2007 4:06 AM To: openssl-users@openssl.org Subject: intermediate CA configuration i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a12 79 2609 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1281 0885 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: intermediate CA configuration
On Tue, Sep 25, 2007, Bynum, Don wrote: Please send me your extensions file, CA cert/Key and the CSR you are using for your intermediate. I am assuming that what you have so far is for testing purposes. Otherwise, I would not ask for the CA key (obviously). Send them to me as a zip file and I'll take a look. You just need to specify the correct extension section when you sign the request v3_ca for example. If you used the simpler CA.pl script (see FAQ et al) then the option -signCA will do the trick. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
intermediate CA configuration
i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a12792609 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: intermediate CA configuration
This should be good for most purposes. Note the basicConstraints attribute of pathlen. Unlike the root CA which has no pathlen, the intermediate has a pathlen of 0. ### subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http: //crl2.somedomain.com/IntCA.crl basicConstraints = critical, CA:true,pathlen:0 keyUsage=critical, keyCertSign,cRLSign extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1 CPS=http://www.somedomain.com/legal/cps-intCA.pdf ### Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Thursday, September 20, 2007 4:06 AM To: openssl-users@openssl.org Subject: intermediate CA configuration i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1279 2609 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: intermediate CA configuration
I have given the command openssl x509 -req -days 365 -in intermediate.csr -CA root.certkey -CAcreateserial -out intermediate.crt -extensions usr_cert -extfile /etc/sll/openssl.cnf after creating the root CA, the root.certkey is having key and crt files.Is this command enough for creating the intermediate CA. if i create a user certificate with this intermediate CA.In SSL authentication it is giving error 24,Unknown CA. In client machine i installed all the certificates root CA and Intermediate CA and client certificate.It is showing clear hierarchy.ROOTintermediate.client. i copied the root and intermediate certificates in /etc/ssl/certs and did c_rehash.BUT with the intermediate client certificate ,client could able to authenticate and showing the ERROR 24 and UNKNOWN CA.if i provide any other root ca , the client can be able to authenticate with that root CA client certificate.please help me... Bynum, Don wrote: This should be good for most purposes. Note the basicConstraints attribute of pathlen. Unlike the root CA which has no pathlen, the intermediate has a pathlen of 0. ### subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http: //crl2.somedomain.com/IntCA.crl basicConstraints = critical, CA:true,pathlen:0 keyUsage=critical, keyCertSign,cRLSign extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1 CPS=http://www.somedomain.com/legal/cps-intCA.pdf ### Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Thursday, September 20, 2007 4:06 AM To: openssl-users@openssl.org Subject: intermediate CA configuration i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1279 2609 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a12810885 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
