I think we're making some progress with resolving this problem. I
signed a new request with the switch you mentioned and loaded it onto
the subordinate. I don't receive the old ASN1 error, which is good, but
now I've received one I've never seen before, "A certificate's basic
constraint extension has not been observed." Does this mean I may have
something configured incorrectly in the openssl.cnf file? =20

One bit of good news though is that I no longer have to export the
certificate into .der format; the .pem file worked just fine.

Aaron




-----Original Message-----
From: owner-openssl-users@openssl.org
[mailtowner-openssl-users@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, December 27, 2006 15:04
To: openssl-users@openssl.org
Subject: Re: OpenSSL with Windows subordinates

>=20


Yes the signing command is incorrect. By default the certificate is an
end entity certificate for OpenSSL not a CA certificate.

Try the command line switch: -extensions v3_ca=20

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org