Yes I did. I had to install that yesterday also in order for the
subordinate to trust the root.

I was reading on the web site (specifically on this web page:
http://www.openssl.org/docs/apps/x509v3_config.html# ) It would seem to
indicate one should modify the basicConstraints lines in the openssl.cnf
file, but again I am not terribly familiar with this option. The only
things I have modified in my openssl.cnf file so far are the lines to
include email address, location, directory structure , changed policy
fields to optional, and the key size. =20

If I am understanding this correctly, the OpenSSL root issued the
certificate as a simple 'machine' cert, not as a subordinate CA. Am I
on the right track? =20

Aaron

-----Original Message-----
From: owner-openssl-users@openssl.org
[mailtowner-openssl-users@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, December 28, 2006 11:55
To: openssl-users@openssl.org
Subject: Re: OpenSSL with Windows subordinates

On Thu, Dec 28, 2006, Aaron Barnes wrote:

> I think we're making some progress with resolving this problem. I
> signed a new request with the switch you mentioned and loaded it onto=20
> the subordinate. I don't receive the old ASN1 error, which is good,=20
> but now I've received one I've never seen before, "A certificate's=20
> basic constraint extension has not been observed." Does this mean I=20
> may have something configured incorrectly in the openssl.cnf file?
>=20


Did you install a root CA onto that system too? If so that might be a
problem depending on how you created it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org