intermedia CA and smime cert
Mark Hack
markhack at markhack.com
Thu Sep 7 14:46:58 UTC 2023
This works for me with 1 intermediate CA:
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
Regards
Mark Hack
On 9/7/23 08:10, Ronny Wagner via openssl-users wrote:
> hello all,
>
> i need your help in setting up an intermedia ca that is allowed to issue smime certificates.
>
> in my previous attempts, the smime certificate could not authenticate with the intermedia ca.
>
> openssl.cnf - RootCA
> [ v3_user_intermediate_ca ]
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer
> basicConstraints = critical, CA:true, pathlen:0
> keyUsage = critical, digitalSignature, keyCertSign, cRLSign
>
> openssl.cnf - UserCA
> [ smime ]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> extendedKeyUsage = emailProtection
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always, issuer
> subjectAltName = email:copy
>
> I use the following command to create the smime certificate:
> $ openssl x509 -req -days 365 -in usermail.csr -CA cacert.pem -CAkey private/UserCA.key.pem -CAserial serial -out usermail_finish.pem -setalias " User E-Mail Certificate" -extfile UserCA/openssl.cnf -extensions smime
>
> Would you have a tip on where I can start here?
>
> Thank your very much.
>
More information about the openssl-users
mailing list