This is a discussion on Re: OpenSSL with Windows subordinates - Openssl ; On Thu, Dec 28, 2006, Aaron Barnes wrote: > I think I see what you're getting at now. I reviewed the text of the > root and the subordinate certs; the root does NOT have the CA:TRUE > (false obviously), ...
On Thu, Dec 28, 2006, Aaron Barnes wrote:
> I think I see what you're getting at now. I reviewed the text of the
> root and the subordinate certs; the root does NOT have the CA:TRUE
> (false obviously), the subordinate does have CA:TRUE. So I guess this
> tells me I must have installed the root CA incorrectly.
> I didn't use CA.pl, but rather CA.sh. I'll list each step I did to set
> up OpenSSL and the root.
> 1. ./config
> 2. make
> 3. make test
> 4. make install
> 5. ./CA.sh -newca
> 6. ./CA.sh -sign
> It sounds like I'll probably need to redo the root setup, but let me
> know if there is an adjustment I need to make based on how many tiers I
> want to set up in the overall PKI.
> I'll also email you copies of the certificates separately.
Yes the root CA has basicConstraints CA:FALSE on it which is causing the
I'd suggest you redo the root CA and the subordinate using CA.pl: CA.sh is an
older script that isn't maintained any more.
The command CA.pl -signCA automatically signs a request as a CA instead of an
end entity cert.
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
OpenSSL Project http://www.openssl.org
User Support Mailing List email@example.com
Automated List Manager firstname.lastname@example.org