On Thu, Dec 28, 2006, Aaron Barnes wrote:

> I think I see what you're getting at now. I reviewed the text of the
> root and the subordinate certs; the root does NOT have the CA:TRUE
> (false obviously), the subordinate does have CA:TRUE. So I guess this
> tells me I must have installed the root CA incorrectly.
> I didn't use CA.pl, but rather CA.sh. I'll list each step I did to set
> up OpenSSL and the root.
> 1. ./config
> 2. make
> 3. make test
> 4. make install
> 5. ./CA.sh -newca
> 6. ./CA.sh -sign
> It sounds like I'll probably need to redo the root setup, but let me
> know if there is an adjustment I need to make based on how many tiers I
> want to set up in the overall PKI.
> I'll also email you copies of the certificates separately.

Yes the root CA has basicConstraints CA:FALSE on it which is causing the

I'd suggest you redo the root CA and the subordinate using CA.pl: CA.sh is an
older script that isn't maintained any more.

The command CA.pl -signCA automatically signs a request as a CA instead of an
end entity cert.

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org