Don't forget Path Length.

-Kyle H

On 12/28/06, Dr. Stephen Henson wrote:
> On Thu, Dec 28, 2006, Aaron Barnes wrote:
>
> > Yes I did. I had to install that yesterday also in order for the
> > subordinate to trust the root.
> >
> > I was reading on the web site (specifically on this web page:
> > http://www.openssl.org/docs/apps/x509v3_config.html# ) It would seem to
> > indicate one should modify the basicConstraints lines in the openssl.cnf
> > file, but again I am not terribly familiar with this option. The only
> > things I have modified in my openssl.cnf file so far are the lines to
> > include email address, location, directory structure , changed policy
> > fields to optional, and the key size.
> >
> > If I am understanding this correctly, the OpenSSL root issued the
> > certificate as a simple 'machine' cert, not as a subordinate CA. Am I
> > on the right track?
> >

>
> If you used the CA.pl script to generate the certificates it should just "do
> the right thing". The standard openssl.cnf has some sensible defaults which
> should suit most purposes.
>
> That includes using basicConstraints for a CA certificate.
>
> If you've used other commands (all manner of weird stuff is recommended by
> some cookbooks) then the certificates may not suit your purpose.
>
> If you do:
>
> openssl x509 -in cert.pem -text -noout
>
> you should see the basicConstraints extension. It must have CA:TRUE for both
> the root CA and the subordinate. If that doesn't help just post (or mail me
> privately) with the two certificates you have created.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>



--

-Kyle H
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org