On Tue, Apr 24, 2001 at 03:41:58PM +0200, Peter Lindsäth wrote:
> Well, now there seems to be a problem making a intermediate CA using the self signed
> CA.
> I've been trying some different approaches but I don't seem to get it right. The most
> commonly proposed method, in the mail-archive, would be using the following line:
>
> openssl x509 -req -in node2root.req -CA root.cert -CAkey root.key -out node2root.cert
> -CAcreateserial
>
> This, however, doesn't seem work if you trust the output of 'openssl x509 -in
> node2root.cert -noout -text'. And by using the cert with my application
> X509_V_ERR_INVALID_CA is received. I guess the line 'CA:TRUE' is missing in the
> 'X509v3 Basic Constraints', but how do I fix that?
If your node2root shall be an intermediate CA, you need to add something
like "-extensions v3_ca". This way, a new intermediate CA that can issue
certificates is created. Have a look into openssl.cnf and create your
own section "v3_ca_sslclient" and restrict the CA to be just sslCA.
(Maybe even just a "ssl-client" CA, if possible.)
I am not an expert on this topic, but I am sure this discussion gave
you enough keywords to query your favorite search engine...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
