Hello Jehan: On August 24, 2009 10:15:51 am jehan procaccia wrote: > Hello, > > since Firefox 3.5 apparently doesn't accept Root CA self signed > certificate which doesn't contain correct extensions (Basic Constraints: > CA:TRUE) > I wonder how I can add these extensions to my already existing and self > signed Root CA : > http://ca.institut-telecom.fr/pki/IT_MASTER_CA/itrootca.crt > The short answer is - you can't 'ADD' an extension to a signed certificate. What you would have to do is to re-do your key ceremony and re-issue your root certificate, following the process outlined for certificate modification in your CP.
> My second level (intermediate; > http://ca.institut-telecom.fr/pki/IT_CA/itca.crt) CA does contain these > extensions: > > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: critical > Certificate Sign, CRL Sign > Netscape Cert Type: > SSL CA, S/MIME CA, Object Signing CA > > And it works fine with them. > > Apparently that was the case of verisign CA back to V1 certificate also .. V1 certificates don't have an extensions section, so this isn't a problem. > So I suspect and hope that I can change, alter, my running root CA > certificate !?, can you tell me how ? As I said above, you can't alter a signed structure - that's why you sign it - to prevent anyone from altering it. The only way to add this extension to your root cert is to re-issue your Root CA certificate (you can use the same private keys, so you wouldn't have to change or re-do any of the other certificates in your trust chain, as long as your Certificate Policy allows this). Then, you just have to re-deploy this new certificate out to all of your relying parties - of course, you would have had to do that if you had been able to alter your existing Root CA certificate, so the process is no different. Now, while you are at it, you may want to fix up a couple of things: First of all, it is generally considered to be ill advised to create a certificatePolicy section in a Root CA. This is in case you ever change the assurance levels / certificate Policy OID that your PKI issues (among other reasons - see RFC3280 and RFC5280). Second, I doubt your organisation is authoritative for the OID arc 1.1.1.1.1 - from what documentation I can find, the 1.1 arc is used for examples, and shouldn't be used in production. You should have your organisation register with IANA to be issued its own correct OID arc (or, I think the French Government maintains an arc under their country arc for organisations and companies in that country). Also, since Root CA Certificates are not revoked by CRL (Please see RFC3280/RFC5280 for trust anchor verification), it is not considered good practice to have CRL DP in the root cert. And, having an AIA that points to itself is simply not that great an idea :) Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org