From owner-freebsd-questions@FreeBSD.ORG Thu Aug 17 18:03:29 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1188816A4E5 for ; Thu, 17 Aug 2006 18:03:29 +0000 (UTC) (envelope-from d.trandov@tcebank.com) Received: from tcebank.com (gw.tcebank.com [213.222.32.250]) by mx1.FreeBSD.org (Postfix) with SMTP id 6C17243D58 for ; Thu, 17 Aug 2006 18:03:16 +0000 (GMT) (envelope-from d.trandov@tcebank.com) Received: (qmail 22318 invoked from network); 17 Aug 2006 18:03:38 -0000 Received: from mail.tcebank.com (213.222.32.254) by e-smith.tcebank.com (192.17.1.230) with ESMTP; 17 Aug 2006 18:03:38 -0000 X-Spam-Status: No, hits=0.1 required=5.0 tests=ALL_TRUSTED,EMPTY_MESSAGE X-Spam-Check-By: mail.tcebank.com Received: from [192.17.1.98] (HELO [127.0.0.1]) (192.17.1.98) by mail.tcebank.com (smtpd unknown version) with ESMTP; Thu, 17 Aug 2006 21:12:42 +0300 Message-ID: <44E4AF86.1080103@tcebank.com> Date: Thu, 17 Aug 2006 21:03:50 +0300 From: "Dimitar Trandov - SysAdmin@Tokuda Bank" Organization: Tokuda Bank Plc. User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Sql-Log-ID: '20488.1155838361.4048' Subject: Make subordinate CA X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2006 18:03:29 -0000 Hi, I have to use MS Certificate Services configured on a Windows machine outside of my company My CA have to be subordinate to the CA on this MS Certificate Server (which would be the ROOT CA for my CA) and I want my CA can generate his own certificates. So, I created a certificate request on the my FreeBSD CA server (FreeBSD some.domain 5.4-STABLE FreeBSD 5.4-STABLE #1) and submitted via mail to MS Certificate Server and after that I got a new CA certificate file. My OpenSSL is 0.9.7e-p1 25 Oct 2004 my submit was: openssl req -new -newkey -nodes -keyout server.key -out request.pem But, it appears that the certificate that got created by MS Certificate Services is not properly configured as a CA certificate. When I create a client certificate with my CA and install it on client machine I can see the path from the certificate to the ROOT CA, but with yellow triangle on my public CA cert. Click on it in the chain, it says that: "This certification authority does not appear to be allowed to issue certificates or cannot be used as an end entity certificate". My question is which option I should use when generate request for my root subordinate CA and then sign my own certificates to use in my comapany ? some in basic constraints or KeyUsage option I guess ?!? Thanks in advance and excuse me for my bad English D.Trandov