Hello,
since Firefox 3.5 apparently doesn't accept Root CA self signed
certificate which doesn't contain correct extensions (Basic Constraints:
CA:TRUE)
I wonder how I can add these extensions to my already existing and self
signed Root CA :
http://ca.institut-telecom.fr/pki/IT_MASTER_CA/itrootca.crt
My second level (intermediate;
http://ca.institut-telecom.fr/pki/IT_CA/itca.crt) CA does contain these
extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
And it works fine with them.
Apparently that was the case of verisign CA back to V1 certificate also ..
http://www.drh-consultancy.demon.co.uk/nscertype.html
http://unitstep.net/blog/2009/03/16/using-the-basic-constraints-extension-in-x509-v3-certificates-for-intermediate-cas/
From http://www.openssl.org/docs/apps/x509v3_config.html , I read
DESCRIPTION
Several of the OpenSSL utilities can add extensions to a certificate or
certificate request based on the contents of a configuration file.
So I suspect and hope that I can change, alter, my running root CA
certificate !?, can you tell me how ?
Thanks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org