> Jeremy wrote:
>
> Yeah, I've read what Reiner had to say. The thing is I've done what
> I'm trying to do before. Here's (hopefully) a better explantion of
> what I've done before and what I'm trying to do:
>
> The original time I did this I *somehow* signed a brand new
> certificate with a certificate signed by thwate. I did this using
> sign.sh. I was in the middle of documenting this when my word document
> was corrupted!!
>
> The result I wanted and the result I got was the tree in the
> certification path of the certificate: "thwate -> secure.3kb.net ->
> www.newcert.co.nz". I found these details by double-clicking on the
> padlock in IE, then selecting the cerification path tab.
>
> The only problem with that is that anyone who wanted to connect to the
> secure port using the new certificate required the certificate to be
> installed on their machine. Other then that it was a valid
> certificate.
>
> So as an alternative I thought that I would do the same thing, but
> this time name the new cert as newcert.secure.3kb.net extending off
> secure.3kb.net (the thwate signed cert), thus eliminating the need to
> install the certificate as it was still using the same domain name.
>
> Is there any reason why I wouldn't be able to create a valid
> certificate with the same domain name but would be able to create a
> valid certificate, extending off the key signed by thwate, with a
> different domain name?
>
> Perhaps I'm barking up the wrong tree altogther and what I'm trying to
> do now is totally different to what I achieved previously.
>
> I hope this helps you understand what I'm trying to do.
If the certificate you've got from Thawte is a valid CA certificate
(i.e. you paid $$$ for it) then this is OK.
You can sign a new certificate using the Thawte certificate by using
either the 'ca' or 'x509' utilities in OpenSSL or the CA.pl wrapper to
'ca'.
If however the certificate is not a valid CA certificate then it will be
rejected by OpenSSL, Netscape and MSIE.
You may be able to fiddle that by installing the Thawte certificate and
explicitly trusting it but that's just effectively forcing IE or
Netscape to ignore its invalidity. Its also possible that some ancient
versions of IE will allow it.
There's a good reason for that. It is to stop people pretending to be a
CA and issuing certificates with totally bogus details.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
