Cross-signing non-self-signed third party certificate
Yannik Sembritzki
yannik at sembritzki.org
Mon May 29 13:25:35 UTC 2023
Hi everyone,
I am trying to cross-sign a third party certificate which is *not* self
signed (e.g. a third party intermediate CA, or even a particular client
certificate) like this:
/openssl x509 -in third-party.crt -CA /etc/pki/r1/ca.crt -CAkey
/etc/pki/r1/private/ca.key -out third-party-cross-signed.crt -set_serial
1000/
This results in the following error: /Error with certificate to be
certified - should be self-signed//
/
The same thing works for signing third-party root CAs (as they are
self-signed), but that might be too broad in some situations.
Could anybody explain the reason for this restriction?
Best regards
Yannik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230529/f096262a/attachment.htm>
More information about the openssl-users
mailing list