I'm creating a self-signed x509 certificate with some extensions.
I have to set DNS and URI in subjectAltName,
keyUsage and extendedKeyUsage.

subjectAltName = URIpc.tcp://FOO:4840, DNS:FOO
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth

If I do so I get an invalid certificate: "certificate signing authority is
unknown or invalid"
Without the extensions the certificate is valid.

I think OpenSSL is missing some information of this extensions are present.

The questions
1.) Do I have to set basicConstraints to CA:TRUE or CA:FALSE for a self-signed
2.) What extension is missing or wrong so that I can get valid certificate?

mit freundlichen Grüßen / best regards

Gerhard Gappmeier
ascolab GmbH - automation system communication laboratory
Tel.: +49 9131 691 123
Fax: +49 9131 691 128
Web: http://www.ascolab.com
GPG-Key: http://www.ascolab.com/gpg/gg.asc
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org