Hi List-
I recently set up RC6 more or less according to Kevin Mitcham's cookbook
as a two-interface (RA and CA) system on one computer.
I've been generating client certificates and learning more about the
software, but I've tried importing the root CA certificate (the first
cert generated in the cookbook) into a web browser as a signing
certificate and it was refused with the error, "...not a signer..."
When I look at the cert with:
openssl x509 -noout -text -in 1.crt
I see:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
However, I read in the OpenCA Guide at 3. OpenSSL; Chapter 2.
Configuration:
"You must care about three configurationfiles and -directories
etc/openssl/openssl.cnf, etc/openssl/openssl and etc/openssl/extfiles.
The first file contains the configuration for the CA. This means the
file is used for the generation of the initial CA-CSR, the selfsigned
certificate (if you setup a Root CA) and the CRLs."
and when I look at etc/openssl/openssl.cnf (in both my open[cr]a/etc
directories, I see this:
===============
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
default_md = sha1
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to
# add to the self
signed
...
[ v3_ca]
# Extensions for a typical CA
# It's a CA certificate
basicConstraints = critical, CA:true
===============
Shouldn't my first cert have basicConstraints CA:true instead of
CA:FALSE?
TIA.
-Kevin
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
