Hi Marat,
I have signed a Win2K subordinate CA cert with openssl (v0.9.6)
as root CA. The following extensions are used:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA
crlDistributionPoints=URI:https://host_stored_crls/root.crl
The Win2K sub-CA cert can then be used to issue certs for AD
users and computers. SSL auth with those end-user certs is fine
but smartcard logon doesn't work (OK if the root CA is Win2K CA).
Rgds.
Martin
Dr S N Henson wrote:
>
> "Marat S. Salimov" wrote:
> >
> >
> > Thank you for your answer Steve. Please correct me if I'm wrong. As I've got my
>plan should be like this one:
> > -I take the latest release of OpenSSL's 'ca'. BTW which one?
> > -I upgrade my old OpenSSL's 'ca' with the last obtained
> > -I look for the options which copy extensions from the request to the certificate
> > -I use this certificate to sign my Microsoft CA
> >
> > Do anybody know about such situations that have succeeded?
> >
>
> No you need to get the latest snapshot for 0.9.7. If you can send me the
> certificate request then I'll tell you whether its likely to work or
> not. It all depends on what extensions are present.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]