HI! I have a question about issuing SSL server certs for SGC (step-up certs): Ralf Engelschall's presentation states that extendedKeyUsage = msSGC,nsSGC has to be set in the whole certificate chain. (see http://www.modssl.org/docs/apachecon2001/slide-010-n.html) Now I wonder if this is also required for the root CA cert. Examining Verisign's certificate chain for a "Global Server ID" (step-up certificate) reveals that an intermediate CA cert is used which has extendedKeyUsage set with (2 16 840 1 113733 1 8 1) and (2 16 840 1 113730 4 1). (Found on http://www.verisign.com/support/tlc/class3_install_docs/intermediate/v00g.html) But the issuing root CA cert OU=Class 3 Public Primary Certification Authority O=VeriSign,Inc. C=US seems to be a X.509v1 cert without any extensions (if I looked it up correctly in Mozilla 0.9.2). Any clue? Ciao, Michael. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
