I sign the cert with a CA
ca -out ibmCMSsslcert.pem -in ibmCMSssl.csr -config ibmcms.cnf -batch -cert
ibmCAcert.pem -extensions v3_req
The config has this
*[ v3_req ]*
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
*extendedKeyUsage = OCSPSigning*
nsCertType = server,client
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.ibm.com
DNS.2 = 192.168.2.*
IP.1 = 192.168.2.16
IP.2 = 127.0.0.1
*And the result is this for -text output of the cert*
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
OCSP Signing
Netscape Cert Type:
SSL Client, SSL Server
X509v3 Subject Alternative Name:
DNS:*.ibm.com, DNS:192.168.2.*, IP Address:192.168.2.16, IP
Address:127.0.0.1
*But the -purpose says for the cert *
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
*The server uses the SSL cert and Mozilla is fine with it.
but why is the -purpose wrong now when I add the
extendedKeyUsage = OCSPSigning*
*removing this option in the extension produces a correct -purpose*
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
The OCSP has an issue with it anyway
140735319386556:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing
ocspsigning usage:ocsp_vfy.c:354:
140735319386556:error:27069070:OCSP routines:OCSP_basic_verify:root ca not
trusted:ocsp_vfy.c:152:
--
View this message in context:
http://openssl.6102.n7.nabble.com/OCSPsigning-added-sets-SSL-client-No-and-SSL-server-No-tp46313p46315.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
