Re: [Openca-Users] Root CA certificate is not a signing certificate?
On Fri, 2004-09-24 at 03:22, Michael Bell wrote: > > Shouldn't my first cert have basicConstraints CA:true instead of > > CA:FALSE? > > I think you are a little bit confused. You're right. I was. Thanks for clearing that up. :-) > > 1. A root CA certificate is the self-signed certificate of the CA. This > certificate only signs other certificates and CRLs. CA:FALSE shows me > that you try to download a normal certificate. You must import the CA > certificate as signer (CA) certificate. > > 2. The first certificate is the first certificate signed by the CA. this > certificate must have CA::FALSE because it is usually not the > certificate of sub CA. Yesterday, I used the /pub page, chose Certificates, and then chose Valid and downloaded all 6 certificates that I've generated with this installation of OpenCA going by certificate serial numbers. After reading your reply, I looked for other methods to get the root CA certificate as a signer and this time used the CA Infos and Get CA Certificate links and when I examine this certificate, it does have CA:TRUE, and I see that the serial number for this root CA certificate is serial number 0 (which was not present in the list of certificates that I generated with the previous method---probably by design, I guess). I was thinking that the certificate with serial number 1 was the signer, but now I see that it is serial number 0. Thanks for clearing that up, Michael. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Root CA certificate is not a signing certificate?
Hi Kevin, I recently set up RC6 more or less according to Kevin Mitcham's cookbook as a two-interface (RA and CA) system on one computer. I've been generating client certificates and learning more about the software, but I've tried importing the root CA certificate (the first cert generated in the cookbook) into a web browser as a signing certificate and it was refused with the error, "...not a signer..." When I look at the cert with: openssl x509 -noout -text -in 1.crt I see: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE However, I read in the OpenCA Guide at 3. OpenSSL; Chapter 2. Configuration: "You must care about three configurationfiles and -directories etc/openssl/openssl.cnf, etc/openssl/openssl and etc/openssl/extfiles. The first file contains the configuration for the CA. This means the file is used for the generation of the initial CA-CSR, the selfsigned certificate (if you setup a Root CA) and the CRLs." and when I look at etc/openssl/openssl.cnf (in both my open[cr]a/etc directories, I see this: === [ req ] default_bits= 1024 default_keyfile = privkey.pem default_md = sha1 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to # add to the self signed ... [ v3_ca] # Extensions for a typical CA # It's a CA certificate basicConstraints = critical, CA:true === Shouldn't my first cert have basicConstraints CA:true instead of CA:FALSE? I think you are a little bit confused. 1. A root CA certificate is the self-signed certificate of the CA. This certificate only signs other certificates and CRLs. CA:FALSE shows me that you try to download a normal certificate. You must import the CA certificate as signer (CA) certificate. 2. The first certificate is the first certificate signed by the CA. this certificate must have CA::FALSE because it is usually not the certificate of sub CA. The easiest way for you is the following: 1. Make a list - CA cert: ... - 1. normal cert: ... - 2. normal cert 2. Imports - import the CA certificate as signer (CA:true) certificate - import the normal certs (CA:FALSE) Michael -- ___ Michael BellHumboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin ___ --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Root CA certificate is not a signing certificate?
Hi List- I recently set up RC6 more or less according to Kevin Mitcham's cookbook as a two-interface (RA and CA) system on one computer. I've been generating client certificates and learning more about the software, but I've tried importing the root CA certificate (the first cert generated in the cookbook) into a web browser as a signing certificate and it was refused with the error, "...not a signer..." When I look at the cert with: openssl x509 -noout -text -in 1.crt I see: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE However, I read in the OpenCA Guide at 3. OpenSSL; Chapter 2. Configuration: "You must care about three configurationfiles and -directories etc/openssl/openssl.cnf, etc/openssl/openssl and etc/openssl/extfiles. The first file contains the configuration for the CA. This means the file is used for the generation of the initial CA-CSR, the selfsigned certificate (if you setup a Root CA) and the CRLs." and when I look at etc/openssl/openssl.cnf (in both my open[cr]a/etc directories, I see this: === [ req ] default_bits= 1024 default_keyfile = privkey.pem default_md = sha1 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to # add to the self signed ... [ v3_ca] # Extensions for a typical CA # It's a CA certificate basicConstraints = critical, CA:true === Shouldn't my first cert have basicConstraints CA:true instead of CA:FALSE? TIA. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users