Hi List- I recently set up RC6 more or less according to Kevin Mitcham's cookbook as a two-interface (RA and CA) system on one computer.
I've been generating client certificates and learning more about the software, but I've tried importing the root CA certificate (the first cert generated in the cookbook) into a web browser as a signing certificate and it was refused with the error, "...not a signer..." When I look at the cert with: openssl x509 -noout -text -in 1.crt I see: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE However, I read in the OpenCA Guide at 3. OpenSSL; Chapter 2. Configuration: "You must care about three configurationfiles and -directories etc/openssl/openssl.cnf, etc/openssl/openssl and etc/openssl/extfiles. The first file contains the configuration for the CA. This means the file is used for the generation of the initial CA-CSR, the selfsigned certificate (if you setup a Root CA) and the CRLs." and when I look at etc/openssl/openssl.cnf (in both my open[cr]a/etc directories, I see this: =============== [ req ] default_bits = 1024 default_keyfile = privkey.pem default_md = sha1 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to # add to the self signed ... [ v3_ca] # Extensions for a typical CA # It's a CA certificate basicConstraints = critical, CA:true =============== Shouldn't my first cert have basicConstraints CA:true instead of CA:FALSE? TIA. -Kevin ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users