I think I see what you're getting at now. I reviewed the text of the
root and the subordinate certs; the root does NOT have the CA:TRUE
(false obviously), the subordinate does have CA:TRUE. So I guess this
tells me I must have installed the root CA incorrectly.

I didn't use CA.pl, but rather CA.sh. I'll list each step I did to set
up OpenSSL and the root.

1. ./config
2. make
3. make test
4. make install
5. ./CA.sh -newca
6. ./CA.sh -sign

It sounds like I'll probably need to redo the root setup, but let me
know if there is an adjustment I need to make based on how many tiers I
want to set up in the overall PKI.
I'll also email you copies of the certificates separately.
Aaron


-----Original Message-----
From: owner-openssl-users@openssl.org
[mailtowner-openssl-users@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, December 28, 2006 12:34
To: openssl-users@openssl.org
Subject: Re: OpenSSL with Windows subordinates


If you used the CA.pl script to generate the certificates it should just
"do the right thing". The standard openssl.cnf has some sensible
defaults which should suit most purposes.

That includes using basicConstraints for a CA certificate.

If you've used other commands (all manner of weird stuff is recommended
by some cookbooks) then the certificates may not suit your purpose.

If you do:

openssl x509 -in cert.pem -text -noout

you should see the basicConstraints extension. It must have CA:TRUE for
both the root CA and the subordinate. If that doesn't help just post (or
mail me
privately) with the two certificates you have created.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org