In message <[EMAIL PROTECTED]> on Mon, 26 Apr 2004 08:27:12 +0200, testpgp <[EMAIL 
PROTECTED]> said:

testpgp> I'm trying to double sign a CA certificate with two others CA
testpgp> (CA1 & CA2) Unfortunately, I can't see such options with
testpgp> openssl. The command I usually use is the following :
testpgp> "openssl ca -in ca3.req -out ca3.pem -keyfile ca2.key -cert ca2.pem 
testpgp> -days 1095 -extensions CA_SSL -config"

The reason you can't do it with OpenSSL is that the X.509 certificate
format only allows one signature.  Period.

If you want to have your certificate signed by two CAs, you really
need to have two certificates, each signed by one of the CAs.  This is
perfectly legal in a PKI, and it will be up to the relying party to
check your certificate against the correct CA.

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
                    \      SWEDEN       \
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to