Date: Thu, 17 Aug 2006 21:03:50 +0300 From: "Dimitar Trandov - SysAdmin@Tokuda Bank" <d.trandov@tcebank.com> To: freebsd-questions@freebsd.org Subject: Make subordinate CA Message-ID: <44E4AF86.1080103@tcebank.com>
next in thread | raw e-mail | index | archive | help
Hi, I have to use MS Certificate Services configured on a Windows machine outside of my company My CA have to be subordinate to the CA on this MS Certificate Server (which would be the ROOT CA for my CA) and I want my CA can generate his own certificates. So, I created a certificate request on the my FreeBSD CA server (FreeBSD some.domain 5.4-STABLE FreeBSD 5.4-STABLE #1) and submitted via mail to MS Certificate Server and after that I got a new CA certificate file. My OpenSSL is 0.9.7e-p1 25 Oct 2004 my submit was: openssl req -new -newkey -nodes -keyout server.key -out request.pem But, it appears that the certificate that got created by MS Certificate Services is not properly configured as a CA certificate. When I create a client certificate with my CA and install it on client machine I can see the path from the certificate to the ROOT CA, but with yellow triangle on my public CA cert. Click on it in the chain, it says that: "This certification authority does not appear to be allowed to issue certificates or cannot be used as an end entity certificate". My question is which option I should use when generate request for my root subordinate CA and then sign my own certificates to use in my comapany ? some in basic constraints or KeyUsage option I guess ?!? Thanks in advance and excuse me for my bad English D.Trandov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44E4AF86.1080103>