Yes I did. I had to install that yesterday also in order for the
subordinate to trust the root.

I was reading on the web site (specifically on this web page: ) It would seem to
indicate one should modify the basicConstraints lines in the openssl.cnf
file, but again I am not terribly familiar with this option. The only
things I have modified in my openssl.cnf file so far are the lines to
include email address, location, directory structure , changed policy
fields to optional, and the key size. =20

If I am understanding this correctly, the OpenSSL root issued the
certificate as a simple 'machine' cert, not as a subordinate CA. Am I
on the right track? =20


-----Original Message-----
[] On Behalf Of Dr. Stephen Henson
Sent: Thursday, December 28, 2006 11:55
Subject: Re: OpenSSL with Windows subordinates

On Thu, Dec 28, 2006, Aaron Barnes wrote:

> I think we're making some progress with resolving this problem. I
> signed a new request with the switch you mentioned and loaded it onto=20
> the subordinate. I don't receive the old ASN1 error, which is good,=20
> but now I've received one I've never seen before, "A certificate's=20
> basic constraint extension has not been observed." Does this mean I=20
> may have something configured incorrectly in the openssl.cnf file?

Did you install a root CA onto that system too? If so that might be a
problem depending on how you created it.

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance consultant.
Funding needed! Details on homepage.
__________________________________________________ ____________________
OpenSSL Project
User Support Mailing List
Automated List Manager
__________________________________________________ ____________________
OpenSSL Project
User Support Mailing List
Automated List Manager