On Fri, 8 Mar 2002, Martin Witzel wrote: > > Hi, > > I have two questions about certificate chains. > > a.) Can an openssl intermediate CA create certificates which contain the > certificate > of an intermediate level signing CA _and_ the certificate(s) of > higher level CAs, > i.e. a certificate chain with more than one certificate?
Making chains is unlikely a CA business, one could try tuning webserver instead > b) I have set up an intermediate level CA and signed a certificate request > from some > other requester (not openssl). I only see the intermediate level CA > certificate, not > the intermediate level CA cert + the root CA cert stacked in one cert > as a certificate > chain when I use this certificate in an SSL connection. However, I > expected to see > a certificate chain. With openssl-based webserer, one could send a chain from server cert to root (if CA certificates are available for webserver) accompanied by just any other certs specified for SSL_CTX_use_certificate_chain_file() > 1) If it is possible to create such a stacked cert at all, I must have > goofed with the > intermediate level CA cert. It should already contain the root CA cert > together > with its own cert, right? > > 2) The steps I took are, somewhat abbreviated: > Create root CA key and cert > genrsa -out cakey.pem > req -new -key cakey.pem -out cakey.csr > req -in cakey.csr -key cakey.pem -x509 -out cacert.pem > > Generate 2nd level CA key > genrsa -out cakey2.pem > req -new -key cakey2.pem -out cakey2.csr > req -in cakey2.csr -cert cacert.pem -keyfile cakey.pem -out cacert2.pem > > Was there an error in the steps so far which caused the root certificate in > the > intermediate level CA to be omitted? > > 3. Now sign a self-signed client certificate request which BTW was not > created with openssl. > Replace the root key and cert file in the CA with the intermediate CA > level file versions > cakey2.pem and cacert2.pem which I have created above. Then use the > command > ca -ss_cert client.csr -out clientcert.crt -policy policy_anything > > As mentioned, when the SSL server receives this client cert, I do not see > that there is > anything else but the intermediate level CA cert in it, no root cert > included. > > Any clues? Thank you, Martin You didnt specify webserver so it's hard to guess tuning technique good luck, Vadim ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]