On Thu, Dec 28, 2006, Aaron Barnes wrote:

> Yes I did. I had to install that yesterday also in order for the
> subordinate to trust the root.
> I was reading on the web site (specifically on this web page:
> http://www.openssl.org/docs/apps/x509v3_config.html# ) It would seem to
> indicate one should modify the basicConstraints lines in the openssl.cnf
> file, but again I am not terribly familiar with this option. The only
> things I have modified in my openssl.cnf file so far are the lines to
> include email address, location, directory structure , changed policy
> fields to optional, and the key size.
> If I am understanding this correctly, the OpenSSL root issued the
> certificate as a simple 'machine' cert, not as a subordinate CA. Am I
> on the right track?

If you used the CA.pl script to generate the certificates it should just "do
the right thing". The standard openssl.cnf has some sensible defaults which
should suit most purposes.

That includes using basicConstraints for a CA certificate.

If you've used other commands (all manner of weird stuff is recommended by
some cookbooks) then the certificates may not suit your purpose.

If you do:

openssl x509 -in cert.pem -text -noout

you should see the basicConstraints extension. It must have CA:TRUE for both
the root CA and the subordinate. If that doesn't help just post (or mail me
privately) with the two certificates you have created.

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org