Hi,
This is a followup to an earlier inquiry regarding CA certificates in a
certificate chain.
I got a test configuration, where I have a root CA and a subroot CA by
first creating two self-signed CAs (ATEST4 and ATEST5), and then getting
the ATEST4 CA to re-sign the ATEST5 CA's cert.
It seems like this is working, i.e., I can issue client and server
certificates from the subroot CA, and they seem to work all right and I
can verify the cert chain from the end certificate back to the root CA
certificate.
But, I was looking at the CA certs that I ended up with, using "openssl
x509", and got:
This is the SUB ROOT CA's Cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
10:bf:34:36:b6:96:bd:35:07:b5:c5:92:8e:ce:df:9d
Signature Algorithm: sha1WithRSAEncryption
Issuer: [EMAIL PROTECTED], C=US, O=ATest4Dept, OU=ATest4Co,
CN=ATEST4
Validity
Not Before: Mar 2 06:08:03 2005 GMT
Not After : Feb 27 09:22:27 2008 GMT
Subject: [EMAIL PROTECTED], C=US, O=ATest5Dept, OU=ATest5Co,
CN=ATEST5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:97:95:7d:be:91:24:0e:da:c6:ab:0f:5f:6d:53:
4d:7a:a8:9a:a8:5a:8d:38:04:1d:61:cf:a9:5b:bb:
7b:8f:d1:42:6f:88:db:4e:12:db:e0:30:59:ea:84:
.
<snip>
.
24:07:49:62:e3:a7:78:9b:fd:59:47:12:9b:85:6b:
87:73:8d:32:ff:52:3b:13:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:FF:78:E3:03:37:8D:EA:0F:1D:ED:B0:C7:D2:48:49:C6:90:D1:D5:B0
X509v3 Subject Key Identifier:
8F:42:40:96:67:D8:48:02:06:B5:F0:68:7D:59:F5:6A:E5:14:92:68
Signature Algorithm: sha1WithRSAEncryption
78:4f:38:1f:f8:82:89:b7:42:49:f0:8e:81:46:a3:5a:40:bc:
d1:f9:7a:fd:ea:e4:96:17:52:cc:c6:c0:9b:dd:56:40:fc:6c:
.
<snip>
.
08:0b:28:03:63:78:52:d2:08:f9:63:69:0a:f5:65:0f:44:d3:
95:d7:93:ce:7d:8a:e5:70:e4:3d:11:8e:92:e5:3e:0b:b0:a2:
09:c3
This is the ROOT CA's Cert:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
8c:5e:50:92:11:7d:d1:77:c6:52:ab:7d:be:65:7f:3a
Signature Algorithm: sha1WithRSAEncryption
Issuer: [EMAIL PROTECTED], C=US, O=ATest4Dept, OU=ATest4Co,
CN=ATEST4
Validity
Not Before: Mar 2 05:38:29 2005 GMT
Not After : Mar 1 09:19:53 2008 GMT
Subject: [EMAIL PROTECTED], C=US, O=ATest4Dept, OU=ATest4Co,
CN=ATEST4
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b6:a1:fd:a8:66:eb:75:40:9c:84:a0:f7:21:80:
89:84:87:2b:9a:4c:b0:be:97:69:0c:36:15:9b:96:
.
<snip>
.
b6:43:25:95:17:4d:ee:e3:5d:26:c3:df:33:50:ce:
70:96:41:eb:f4:2a:6d:98:ff
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
ad:b0:f1:d6:39:85:36:f1:35:7e:5c:5f:ce:24:58:e0:97:c5:
f1:41:d3:5b:b6:9d:48:2b:f3:1d:51:28:e9:ee:8f:35:45:3b:
.
<snip>
.
01:fa:d3:7e:f7:47:a6:34:ad:88:71:35:23:a5:25:0f:d0:3b:
94:56:37:8c:06:22:3e:7e:83:ab:ba:f2:de:b5:86:60:03:22:
38:89
Per earlier messages from Steve Henson, the SUB ROOT CA (CN=ATEST5) has
"Basic Constraints" with "CA=TRUE", and "Digital Signature, Certificate
Sign, CRL Sign".
However, I noticed that the ROOT CA (CN=ATEST4) certificate doesn't have
any of these extensions (e.g., "CA=TRUE", etc.), and yet, it was able to
re-sign the SUB ROOT CA (CN=ATEST5) certificate, and the SUB ROOT CA
seems to be able to issue proper end user certs.
The questions that I have are:
1) Do both of these CA certs look "all right"?
2) Does the ROOT CA cert look "all right" for a CA certificate, i.e.,
does it look like a valid ROOT CA certificate?
Thanks in advance,
Jim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
