In message <[EMAIL PROTECTED]> on Mon, 26 Apr 2004 08:27:12 +0200, testpgp <[EMAIL PROTECTED]> said:
testpgp> I'm trying to double sign a CA certificate with two others CA testpgp> (CA1 & CA2) Unfortunately, I can't see such options with testpgp> openssl. The command I usually use is the following : testpgp> "openssl ca -in ca3.req -out ca3.pem -keyfile ca2.key -cert ca2.pem testpgp> -days 1095 -extensions CA_SSL -config" The reason you can't do it with OpenSSL is that the X.509 certificate format only allows one signature. Period. If you want to have your certificate signed by two CAs, you really need to have two certificates, each signed by one of the CAs. This is perfectly legal in a PKI, and it will be up to the relying party to check your certificate against the correct CA. ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]