Make subordinate CA
Dimitar Trandov - SysAdmin at Tokuda Bank
d.trandov at tcebank.com
Thu Aug 17 18:03:29 UTC 2006
Hi,
I have to use MS Certificate Services configured on a Windows machine
outside of my company
My CA have to be subordinate to the CA on this MS Certificate Server
(which would be the ROOT CA for my CA) and
I want my CA can generate his own certificates.
So, I created a certificate request on the my FreeBSD CA server (FreeBSD
some.domain 5.4-STABLE FreeBSD 5.4-STABLE #1)
and submitted via mail to MS Certificate Server and after that I got a
new CA certificate file. My OpenSSL is 0.9.7e-p1 25 Oct 2004
my submit was: openssl req -new -newkey -nodes -keyout server.key -out
request.pem
But, it appears that the certificate that got created by MS Certificate
Services is not properly configured as a CA certificate.
When I create a client certificate with my CA and install it on client
machine I can see the path from the certificate to the
ROOT CA, but with yellow triangle on my public CA cert. Click on it in
the chain, it says that:
"This certification authority does not appear to be allowed to issue
certificates or cannot be used as an end entity certificate".
My question is which option I should use when generate request for my
root subordinate CA and then sign my own certificates to use in my
comapany ? some in basic constraints or KeyUsage option I guess ?!?
Thanks in advance and excuse me for my bad English
D.Trandov
More information about the freebsd-questions
mailing list