-----Original Message-----
From: Vadim Fedukovich [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 08, 2002 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: intermediate level CA certificates, chains
On Fri, 8 Mar 2002, Martin Witzel wrote:
>
> Hi,
>
> I have two questions about certificate chains.
>
> a.) Can an openssl intermediate CA create certificates which contain the
> certificate
> of an intermediate level signing CA _and_ the certificate(s) of
> higher level CAs,
> i.e. a certificate chain with more than one certificate?
Making chains is unlikely a CA business, one could try
tuning webserver instead
> b) I have set up an intermediate level CA and signed a certificate request
> from some
> other requester (not openssl). I only see the intermediate level CA
> certificate, not
> the intermediate level CA cert + the root CA cert stacked in one cert
> as a certificate
> chain when I use this certificate in an SSL connection. However, I
> expected to see
> a certificate chain.
With openssl-based webserer, one could send a chain from server cert
to root (if CA certificates are available for webserver) accompanied by
just any other certs specified for SSL_CTX_use_certificate_chain_file()
> 1) If it is possible to create such a stacked cert at all, I must have
> goofed with the
> intermediate level CA cert. It should already contain the root CA
cert
> together
> with its own cert, right?
>
> 2) The steps I took are, somewhat abbreviated:
> Create root CA key and cert
> genrsa -out cakey.pem
> req -new -key cakey.pem -out cakey.csr
> req -in cakey.csr -key cakey.pem -x509 -out cacert.pem
>
> Generate 2nd level CA key
> genrsa -out cakey2.pem
> req -new -key cakey2.pem -out cakey2.csr
> req -in cakey2.csr -cert cacert.pem -keyfile cakey.pem -out cacert2.pem
>
> Was there an error in the steps so far which caused the root certificate
in
> the
> intermediate level CA to be omitted?
>
> 3. Now sign a self-signed client certificate request which BTW was not
> created with openssl.
> Replace the root key and cert file in the CA with the intermediate CA
> level file versions
> cakey2.pem and cacert2.pem which I have created above. Then use the
> command
> ca -ss_cert client.csr -out clientcert.crt -policy
policy_anything
>
> As mentioned, when the SSL server receives this client cert, I do not see
> that there is
> anything else but the intermediate level CA cert in it, no root cert
> included.
>
> Any clues? Thank you, Martin
You didnt specify webserver so it's hard to guess tuning technique
good luck,
Vadim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]