intermedia CA and smime cert
Bernhard Fröhlich
ted at convey.de
Thu Sep 7 13:53:34 UTC 2023
Hi Ronny,
just a shot from the hip, your root CA has pathlen:1 (or more) in its
basicConstraints? See
<https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html>
Hope it helps
Ted
On 07.09.2023 15:10, Ronny Wagner via openssl-users wrote:
> hello all,
>
> i need your help in setting up an intermedia ca that is allowed to issue smime certificates.
>
> in my previous attempts, the smime certificate could not authenticate with the intermedia ca.
>
> openssl.cnf - RootCA
> [ v3_user_intermediate_ca ]
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer
> basicConstraints = critical, CA:true, pathlen:0
> keyUsage = critical, digitalSignature, keyCertSign, cRLSign
>
> openssl.cnf - UserCA
> [ smime ]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> extendedKeyUsage = emailProtection
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always, issuer
> subjectAltName = email:copy
>
> I use the following command to create the smime certificate:
> $ openssl x509 -req -days 365 -in usermail.csr -CA cacert.pem -CAkey private/UserCA.key.pem -CAserial serial -out usermail_finish.pem -setalias " User E-Mail Certificate" -extfile UserCA/openssl.cnf -extensions smime
>
> Would you have a tip on where I can start here?
>
> Thank your very much.
>
More information about the openssl-users
mailing list