On Wed, 2008-12-17 at 15:26 -0500, David W Blaine wrote: > > Hi John > > I, for one, really appreciate all your posts to the list cuz I usually > have the same problem ;) > > Sorry for sending this message to you offline, but I haven't taken the > time to fix my account that is authorized to post to the list. Too > much to do before year end. > > Anyway, I had this same issue and fixed it with the help of the code > that you posted. But my next problem I get "This certificate has a > nonvalid digital signature" in IE6 for the root certificate I just > created. The strange thing is it imports ok into the browser but it > doesn't get placed in Trusted Root Certs store - it puts itself in > Intermediate Root Certs store. Looking at the details of the > certificate there is a warning icon next to "Basic Constraints" and > "Key Usage". Have you run into this? > > I have used OpenCA 0.9.1 for several years. But I'm setting up a new > PKI infrastructure using this new version and chaning how my root CA > certificates are presented. I need to use DC-style so that I can > better support our Microsoft community. I wished there was better > docos for this stuff. > > ----------------------------------------------------------------- > DAVID BLAINE, GCIA , CISSP > GDLS-C Lead Information Risk Manager (LIRM) > CSC > > 6000 E. 17 Mile Rd. Sterling Heights MI 48313 > GIS | o: 586.825.7650 | c: 810.217.8041 | f: 586.825.8606 | > dblai...@csc.com | www.csc.com > <snip> Hi, David. I do recall hitting the problem where the CA cert is put in the wrong place. It was a number of years ago. If I recall correctly, one can import in an advanced way and tell it where to put the cert against all the objections IE will raise. I believe that's how we got around it.
We will soon need to address the dc issue, too. I think it will be pretty simple. I believe the key will be the templates in etc/openca/servers. I'm guessing we simply change: DN_TYPE_BASIC_BASE "O" "C" to DN_TYPE_BASIC_BASE "DC" "DC" At least I'm hoping it's that easy ;) Does anyone else have any experience doing this? Take care - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
