> Richard Dykiel wrote:
>
> Hello,
>
> I'm using the openssl utility to create a set of certificates.
> I created a root certificate.
> Now I'm trying to create a certifiate request for an intermediate CA
> (it would be signed by my root certificate).
>
> The command I use is:
> openssl req -config CAconf.conf -newkey rsa:1024 -outform DER -keyout
> keys\key1.prk -out cert\req1.p10 -reqexts v3_ca
>
> My config file has an extension section structured as follows:
> [ v3_ca ]
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always,issuer:always
> basicConstraints = CA:true
> keyUsage = cRLSign, keyCertSign
>
> The error I get is the following:
> Error Loading extension section v3_ca
> 265:error:22077079:X509 V3 routines:V2I_AUTHORITY_KEYID:no issuer
> certificate:.\
> crypto\x509v3\v3_akey.c:199:
> 265:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
> extension:.\crypto\
> x509v3\v3_conf.c:91:name=authorityKeyIdentifier,
> value=keyid:always,issuer:alway
> s
>
> Anybody knows how I can specify the issuer certificate to use?
> Thanks
Your problem is that you are creating a certificate request and as such
the CA certificate is not specified at this point.
The authority key identifier is normally added using details in the CA
certificate when the CA signs the request.
Adding the extension to the certificate request doesn't really make
sense because the extension details depend on which CA certificate is
used to sign it...
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
