Hodie III Kal. Sep. MMX, Tomás Tormo scripsit:
>    [amsterdam:/morralla/ttormo/ACIndenova]# openssl x509 -in acindenova.cer
>    -text
>                Not Before: Dec  8 08:31:12 2006 GMT
>                Not After : Dec  5 08:41:12 2016 GMT
>    [amsterdam:/test]# openssl x509 -in admesigna.cer -text
>    Certificate:
>                Not Before: May 10 12:25:25 2010 GMT
>                Not After : May  7 12:35:25 2020 GMT

Maybe OpenSSL doesn't like the fact that your EE certificate lasts
longer than its CA?

Anyway, other things:
 - e=3 is not considered good
 - will your Root CA sign something else than certificates and CRLs?
   If not, there's no use for the digitalSignature flag in keyUsage
 - a CRLDP in a Root is useless. Trust comes off-band, end of trust
   will also come off-band
 - a certificatePolicies extension in a Root is useless, it won't be
   processed at all if one follows the normative algorithm
 - netscapeCertType is of no use in 2010
 - in your EE cert, qcStatements extension, you placed the OID twice. Useless, once is enough
 - in your EE cert, you added an AIA extension with an empty OCSP URI.
 - in your EE cert, you added an AIA extension with a CAIssuers field,
   but the considered CA is a self-signed one, so it has no other
   issuer than itself, so it's useless
 - in your EE cert, you specified a policy in your certificatePolicies
   extension. While this particular example is correct, that's just
   because a compliant implementation will ignore the OID used on the
   Root. If a non compliant one takes the Root OID in consideration,
   then it will fail

Erwann ABALEA <erwann.aba...@keynectis.com>
Département R&D
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to