Sam Morris <[EMAIL PROTECTED]> writes: > I've been using my own CA certificate to secure my access (with SSL/TLS) > to my personal email & web server for a while now. I originally > generated the CA certificate with gnutls' certtool program. I now need > to get the certificate working on a client running Mac OS X. > > It's fairly straightforward to import the certificate into OS X's > Keychain application; however, Keychain insists that my CA is only an > "intermediate certificate authority", and therefore OS X refuses to > trust the certificate. > > I have gone through the output of 'certtool --info' and 'openssl x509 > -text', and have done quite some Googling by now, but I can't find any > way to determine the criteria by which Keychain decides that my > certificate is that of a root authority, or an intermediate authority. > > So my question is: is this root/intermediate setting actually in the > certificate itself (in which case it's something I can fix by generating > a new certificate--although I can't find any options for this in > certtol's documentation; is it possible, or will I have to use openssl?) > or is it something I need to do in the Keychain application?
Basically, root certificates have subject==issuer, intermediate certificates have subject!=issuer. > The certificate is available from > https://crypt.ethx.net/robots.org.uk-CA.crt in case anyone wants a copy. The certificate is missing the 'key usage' bits of certificate signing, and a subject key ID. But that doesn't seem relevant to the error message you got. And, many commercial CAs also lack those fields so you aren't alone in this. I think you'll need to debug this as a Keychain problem further, to understand exactly why it is complaining. Can you add any other certificate as a new trusted root CA? /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
