Hodie III Kal. Sep. MMX, Tomás Tormo scripsit: [...] > [amsterdam:/morralla/ttormo/ACIndenova]# openssl x509 -in acindenova.cer > -text [...] > Not Before: Dec 8 08:31:12 2006 GMT > Not After : Dec 5 08:41:12 2016 GMT [...] > [amsterdam:/test]# openssl x509 -in admesigna.cer -text > Certificate: [...] > Not Before: May 10 12:25:25 2010 GMT > Not After : May 7 12:35:25 2020 GMT [...]
Maybe OpenSSL doesn't like the fact that your EE certificate lasts longer than its CA? Anyway, other things: - e=3 is not considered good - will your Root CA sign something else than certificates and CRLs? If not, there's no use for the digitalSignature flag in keyUsage extension - a CRLDP in a Root is useless. Trust comes off-band, end of trust will also come off-band - a certificatePolicies extension in a Root is useless, it won't be processed at all if one follows the normative algorithm - netscapeCertType is of no use in 2010 - in your EE cert, qcStatements extension, you placed the 0.4.0.1862.1.1 OID twice. Useless, once is enough - in your EE cert, you added an AIA extension with an empty OCSP URI. Bad. - in your EE cert, you added an AIA extension with a CAIssuers field, but the considered CA is a self-signed one, so it has no other issuer than itself, so it's useless - in your EE cert, you specified a policy in your certificatePolicies extension. While this particular example is correct, that's just because a compliant implementation will ignore the OID used on the Root. If a non compliant one takes the Root OID in consideration, then it will fail -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org