I have to use MS Certificate Services configured on a Windows machine outside of my company

My CA have to be subordinate to the CA on this MS Certificate Server (which would be the ROOT CA for my CA) and
I want my CA can generate his own certificates.
So, I created a certificate request on the my FreeBSD CA server (FreeBSD some.domain 5.4-STABLE FreeBSD 5.4-STABLE #1) and submitted via mail to MS Certificate Server and after that I got a new CA certificate file. My OpenSSL is 0.9.7e-p1 25 Oct 2004

my submit was: openssl req -new -newkey -nodes -keyout server.key -out request.pem

But, it appears that the certificate that got created by MS Certificate Services is not properly configured as a CA certificate. When I create a client certificate with my CA and install it on client machine I can see the path from the certificate to the ROOT CA, but with yellow triangle on my public CA cert. Click on it in the chain, it says that: "This certification authority does not appear to be allowed to issue certificates or cannot be used as an end entity certificate". My question is which option I should use when generate request for my root subordinate CA and then sign my own certificates to use in my comapany ? some in basic constraints or KeyUsage option I guess ?!?

Thanks in advance and excuse me for my bad English

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to