Hi Kevin,
I recently set up RC6 more or less according to Kevin Mitcham's cookbook as a two-interface (RA and CA) system on one computer.
I've been generating client certificates and learning more about the software, but I've tried importing the root CA certificate (the first cert generated in the cookbook) into a web browser as a signing certificate and it was refused with the error, "...not a signer..."
When I look at the cert with: openssl x509 -noout -text -in 1.crt
I see: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE
However, I read in the OpenCA Guide at 3. OpenSSL; Chapter 2. Configuration:
"You must care about three configurationfiles and -directories etc/openssl/openssl.cnf, etc/openssl/openssl and etc/openssl/extfiles. The first file contains the configuration for the CA. This means the file is used for the generation of the initial CA-CSR, the selfsigned certificate (if you setup a Root CA) and the CRLs."
and when I look at etc/openssl/openssl.cnf (in both my open[cr]a/etc directories, I see this:
=============== [ req ] default_bits = 1024 default_keyfile = privkey.pem default_md = sha1 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to # add to the self signed ... [ v3_ca]
# Extensions for a typical CA
# It's a CA certificate basicConstraints = critical, CA:true ===============
Shouldn't my first cert have basicConstraints CA:true instead of CA:FALSE?
I think you are a little bit confused.
1. A root CA certificate is the self-signed certificate of the CA. This certificate only signs other certificates and CRLs. CA:FALSE shows me that you try to download a normal certificate. You must import the CA certificate as signer (CA) certificate.
2. The first certificate is the first certificate signed by the CA. this certificate must have CA::FALSE because it is usually not the certificate of sub CA.
The easiest way for you is the following:
1. Make a list - CA cert: ... - 1. normal cert: ... - 2. normal cert
2. Imports - import the CA certificate as signer (CA:true) certificate - import the normal certs (CA:FALSE)
Michael -- _______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
