-----Original Message-----
From: Dr S N Henson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Fri, 06 Apr 2001 12:54:32 +0100
Subject: Re: Need to sign Microsoft CA by openssl
>
>
>
> Noor Haizad Mohd Said wrote:
> >
> > Dear Marat,
> >
> > I also faced a problem same as you. I want to issue CA cert by signing a request
>generated by Windows2000. I also tried to cross certify their CA certificate.Both of
>them are failed.
> > The reasons that might happens are:-
> >
> > 1) For generating a certificate by signing W2000 request, the certificate is
>succesfully created. But, the certificate must contain CRL Distributions and CA
>Version fields. CA
> > Version oid is important because it is being used as a reference in the W2000 Cert
>Services. Please refer to W2000 Certificate Services.
> >
> > 2) To cross certify their CA cert., the Subject Key Identifier must be retreived
>correctly. I used different engine to cross certify W2000 CA cert. It was failed.
> >
> > I hope this can give you some guidance. Maybe somebody can gives some answers for
>these matters.
> >
>
> Well if you're signing a CA certificate you have to ensure you are using
> the correct extensions. By default the OpenSSL utilities sign an end
> user certificate so that's one thing to watch out for.
>
> Wrt unsupported extensions, are they present in the certificate request?
> If so then the latest development release of OpenSSL's 'ca' utility has
> some options which will copy extensions from a request to the signed
> certificate. Even if they aren't supported this will still work if they
> are in the request.
Thank you for your answer Steve. Please correct me if I'm wrong. As I've got my plan
should be like this one:
-I take the latest release of OpenSSL's 'ca'. BTW which one?
-I upgrade my old OpenSSL's 'ca' with the last obtained
-I look for the options which copy extensions from the request to the certificate
-I use this certificate to sign my Microsoft CA
Do anybody know about such situations that have succeeded?
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
