I have the following problem:

I want to create a server key for a web-Service-Server (Soap-Server). To ac=
cess this web service I use the Internet Explorer API (WinInet). This certi=
ficate should be built from a Self-Signed-Root-Certificate which I've also =
created. Then I add this CA-certificate to Internet Explorer's Certificate =
Manager in "Trusted Root Certification Authorities". Now all connections to=
the web service should be automatically accepted, right?

- They are accepted if I have created my Root CA in this way:
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650

- But if I create my Root CA like this:
openssl req -new -keyout cakey.pem -out careq.pem=20
openssl ca -create_serial -out cacert.pem -days 3650 -batch -keyfile cakey=
..pem -selfsign -infiles careq.pem
Here all Certificates built from this CA were automatically rejected by Int=
ernet Explorer if I add the Root-CA to "Trusted Root Certificate Authoritie=

Can anybody tell me what's the difference between this certificate creation=
In the OpenSSL-Howto certificates.txt is listed that the first way should o=
nly used for test certificates. It may not be the recommended way to create=
a root ca. The reason should be descibed in a file "ca.txt", but I do not =
find such a documentation.

Thanks a lot, I hope you can help me so I can understand this
regards Chris

__________________________________________________ _______________
Importieren Sie ganz einfach Ihre E-Mail Adressen in den Messenger!
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org