Hello, On Thu, March 27, 2014 10:47, Stefan H. Holek wrote:
>> 3. Is there a reason to not set a pathLen in the basicConstraints >> section of the Root CA's (to 1, to allow a maximum of one layer of >> CA's below the Root), but to do so on the Intermediate CA's? > > Pathlen is not used on root CA certs. A lot of things are not used on root > CA certs. They only serve to publish a key and ID. I don't use pathlen on > intermediate CAs either, just signing CAs. Does this mean, you use certificates with a complete chain of at least 4 certificates? - root ca cert. no pathlen - intermediate ca cert. also no pathlen - signing ca cert. with pathlen - end cert what is here said about the key length? my CA uses a root with 4096 bits RSA key; does it make a sense, that an intermediate or the signing ca has a stronger key than the root CA? Greetings, Walter ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
