Wonderful!
I redid the root CA setup using ca.pl, modified the openssl.cnf file to
CA:TRUE in the v3_ca section, and signed the subordinate request using
the previous command:
(ca -config /path/openssl.cnf -out thecertificate.pem -in
requestfile.req -extensions v3_ca). I imported the the pem file for the
subordinate, and also the root cert, and the Windows services started up
just fine. =20
I was also able to verify its functionality by requesting some user
certs from it.

Is there much difference between signing with the openssl command above
and the ca.pl perl script? It seems to me it is mainly helpful for
automating the process.

One last question if you don't mind. I noticed the keysize for my
subordinate is 1024 bits. Where can I indicate the keysize when signing
the request? In the openssl.cnf file I used, I have 4096 listed in the
req section, but does this need to be placed elsewhere? It didn't work
when I placed it in the v3_ca section.

Thanks,
Aaron
=20

-----Original Message-----
From: owner-openssl-users@openssl.org
[mailtowner-openssl-users@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, December 28, 2006 15:47
To: openssl-users@openssl.org
Subject: Re: OpenSSL with Windows subordinates



Yes the root CA has basicConstraints CA:FALSE on it which is causing the
error.

I'd suggest you redo the root CA and the subordinate using CA.pl: CA.sh
is an older script that isn't maintained any more.

The command CA.pl -signCA automatically signs a request as a CA instead
of an end entity cert.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org