On Sunday 27 May 2007 03:38, Victor Duchovni wrote: > On Sun, May 27, 2007 at 12:13:38AM +0100, Mick wrote: > > On Saturday 26 May 2007 21:38, Victor Duchovni wrote: > > > On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: > > > > $ openssl x509 -in cert.pem -text -noout > > > > . > > > > . > > > > X509v3 extensions: > > > > X509v3 Basic Constraints: > > > > CA:FALSE > > > > X509v3 Key Usage: > > > > Digital Signature, Non Repudiation, Key Encipherment > > > > . > > > > > > Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf" > > > used as follows: > > > > [snip] > > > > Thanks Victor, > > > > Can you see anything amiss with my attached openssl.cnf? > > Sorry, for me openssl.cnf is a write-only interface... Perhaps someone > else can help you. I find the files easier to write than read.
Just a clarification: my user certificate has no x509v3 extensions as I
mentioned in a previous message; on the other hand my CA certificate has the
following extensions:
=====================================================
[snip...]
X509v3 extensions:
X509v3 Subject Key Identifier:
3B:9A:F7:7D:8D:15:F2:5C:88:82:D8:C2:00:F2:7C:77:41:CD:79:AF
X509v3 Authority Key Identifier:
keyid:3B:9A:F7:7D:8D:15:F2:5C:88:82:D8:C2:00:F2:7C:77:41:CD:79:AF
DirName: [snip...]
serial:9A:32:DA:E9:94:87:E4:CD
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
=====================================================
There's no keyUsage in there.
In my openssl.cnf I see this para which has been commented out:
=====================================================
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
=====================================================
Is this significant, or related to my problem of getting all these errors in
Kmail and gpgsm with the user certificates?
--
Regards,
Mick
pgp2iNeK4PfbX.pgp
Description: PGP signature
