Re: CA hierarchy / pathlen:0

Wed, 21 Aug 2013 09:21:47 -0700 

Hi,
this shouldn't be, because you marked this extension as critical;
what is your OpenSSL release?
and in case of Linux, which distro (version/release) are you using?
Walter

On 20.08.2013 20:18, Peter1234 wrote:

Hi all,

although I issued a certificate for an intermediate CA (CA2) with a
pathlength of zero (pathlen:0), I could use this certificate to create
certificates for further CAs (CA3).

Due to pathlen:0 I expected openssl would  either cancel creation of sub-CAs
with an error massage or would create normal client certificate instead of
CA certificates.
It seems as if opennssl doesn't consider the restrictions imposed by a
pathlength of zero or the configuration I use is incomplete.

Hope you can help me with this problem

Thanks&  Regards
--------- Certificate of CA2 issued by Root CA -----------------------
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 4122 (0x101a)
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=.., ST=............, L=.........., O=......., OU=IT,
CN=CA/emailAddress=c...@testdomain.com
         Validity
             Not Before: Aug 20 17:02:11 2013 GMT
             Not After : May 16 17:02:11 2016 GMT
         Subject: C=.., ST=.............., O=........., OU=IT,
CN=CA2/emailAddress=c...@testdomain.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (512 bit)
                 Modulus (512 bit):
                     00:d6:80:03:b9:83:a4:fa:8d:54:71:e2:9b:1e:ff:
                     7a:f5:66:a5:f0:b8:95:fe:52:5c:06:0b:a5:48:8b:
                     0a:63:62:d4:da:b2:c7:4d:cc:bb:6d:77:eb:d7:e4:
                     d7:76:be:94:1e:26:75:9a:6c:40:63:99:2d:0c:3f:
                     95:16:d2:d1:5f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier:
                 5A:E4:98:4B:35:90:FE:F3:1F:9E:30:0E:10:31:1A:52:6E:25:73:B0
             X509v3 Authority Key Identifier:

keyid:0B:23:16:B4:6C:94:EE:EE:EF:3C:37:AB:0D:6A:75:9D:F2:6F:2F:27

DirName:/C=../ST=....../L=........./O=........../OU=IT/CN=CA/emailAddress=c...@testdomain.com

              serial:EF:FC:FB:59:78:68:80:57
*             X509v3 Basic Constraints: critical
                 CA:TRUE, pathlen:0
*             X509v3 Key Usage:
                 Certificate Sign, CRL Sign
             Netscape Cert Type:
                 SSL CA, S/MIME CA, Object Signing CA
     Signature Algorithm: sha1WithRSAEncryption

Reply via email to