On 06.02. 15:54, martin f krafft wrote: > Attached you can find the generated openssl.cnf file.
Your openssl.cnf file was quite helpful. The problem, however, is with your input data. The issuerAltName and *.Url fields require a special syntax, where the value is prefixed with some kind of type-description. E.g. an email address would be specified like this: issuerAltName = email:[EMAIL PROTECTED] I attached a patch to your openssl.cnf that should fix the issue for you. I note that TinyCA does not deal very gracefully with such problems. > I note that while it successfully wrote the stuff about the x509 > extensions, the distinguished name data have not been written but are > left at their defaults. TinyCA seems to store these settings somewhere else, probably in the CA-certificate itself. It uses the same values you supplied there as defaults for new requests. Regards, uLI
--- /tmp/openssl.cnf 2005-02-06 16:38:32.000000000 +0100 +++ /tmp/fixed-openssl.cnf 2005-02-06 18:19:52.000000000 +0100 @@ -65,12 +65,12 @@ authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = critical,CA:true nsCertType = sslCA, emailCA, objCA -issuerAltName = ca-madduck.net +issuerAltName = email:[EMAIL PROTECTED] nsComment = "Certificate generated by madduck.net CA" -crlDistributionPoints = http://ca.madduck.net/cgi-bin/crl? -nsCaRevocationUrl = http://ca.madduck.net/cgi-bin/crl? -nsCaPolicyUrl = http://ca.madduck.net/policy/ca/ -nsRevocationUrl = http://ca.madduck.net/cgi-bin/crl? +crlDistributionPoints = URI:http://ca.madduck.net/cgi-bin/crl? +nsCaRevocationUrl = URI:http://ca.madduck.net/cgi-bin/crl? +nsCaPolicyUrl = URI:http://ca.madduck.net/policy/ca/ +nsRevocationUrl = URI:http://ca.madduck.net/cgi-bin/crl? keyUsage = critical, keyCertSign, cRLSign [ crl_ext ]
signature.asc
Description: Digital signature
