This is a discussion on Re: OpenSSL with Windows subordinates - Openssl ; Don't forget Path Length. -Kyle H On 12/28/06, Dr. Stephen Henson wrote: > On Thu, Dec 28, 2006, Aaron Barnes wrote: > > > Yes I did. I had to install that yesterday also in order for the > > ...
Don't forget Path Length.
On 12/28/06, Dr. Stephen Henson
> On Thu, Dec 28, 2006, Aaron Barnes wrote:
> > Yes I did. I had to install that yesterday also in order for the
> > subordinate to trust the root.
> > I was reading on the web site (specifically on this web page:
> > http://www.openssl.org/docs/apps/x509v3_config.html# ) It would seem to
> > indicate one should modify the basicConstraints lines in the openssl.cnf
> > file, but again I am not terribly familiar with this option. The only
> > things I have modified in my openssl.cnf file so far are the lines to
> > include email address, location, directory structure , changed policy
> > fields to optional, and the key size.
> > If I am understanding this correctly, the OpenSSL root issued the
> > certificate as a simple 'machine' cert, not as a subordinate CA. Am I
> > on the right track?
> If you used the CA.pl script to generate the certificates it should just "do
> the right thing". The standard openssl.cnf has some sensible defaults which
> should suit most purposes.
> That includes using basicConstraints for a CA certificate.
> If you've used other commands (all manner of weird stuff is recommended by
> some cookbooks) then the certificates may not suit your purpose.
> If you do:
> openssl x509 -in cert.pem -text -noout
> you should see the basicConstraints extension. It must have CA:TRUE for both
> the root CA and the subordinate. If that doesn't help just post (or mail me
> privately) with the two certificates you have created.
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List firstname.lastname@example.org
> Automated List Manager email@example.com
OpenSSL Project http://www.openssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com