> On Jan 9, 2018, at 8:29 PM, Norm Green <norm.green@xxxxxxxxxxxxxxxxxx> wrote: > > opensslx509 -in secondIntermedCa.pem -noout -text > Signature Algorithm: sha256WithRSAEncryption > Issuer: 1.3.6.1.4.1.47749.1.1 = userCA, CN = EmeaCA > Subject: 1.3.6.1.4.1.47749.1.1 = userCA, CN = KapitalCA > X509v3 extensions: > X509v3 Subject Key Identifier: > C7:26:0D:BB:DF:7E:90:CA:7F:A0:C8:B7:CC:09:44:27:C0:53:A7:97 > X509v3 Authority Key Identifier: > keyid:0F:D8:48:FB:6C:8D:C3:1A:E1:5C:94:32:45:E8:EA:DE:5B:C5:E5:34 > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: > Digital Signature, Key Encipherment The Key Usage is not what'd I'd expect for a CA. > opensslx509 -in firstIntermedCa.pem -noout -text > Issuer: 1.3.6.1.4.1.47749.1.1 = rootCA > Subject: 1.3.6.1.4.1.47749.1.1 = userCA, CN = EmeaCA > X509v3 extensions: > X509v3 Subject Key Identifier: > 0F:D8:48:FB:6C:8D:C3:1A:E1:5C:94:32:45:E8:EA:DE:5B:C5:E5:34 > X509v3 Authority Key Identifier: > keyid:5D:A3:87:58:67:E9:3D:B2:4F:8A:87:DA:CA:26:39:FF:FE:70:D5:F2 > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: > Digital Signature, Key Encipherment Same here. > opensslx509 -in rootCa.pem -noout -text > Issuer: 1.3.6.1.4.1.47749.1.1 = rootCA > Subject: 1.3.6.1.4.1.47749.1.1 = rootCA > X509v3 extensions: > X509v3 Subject Key Identifier: > 5D:A3:87:58:67:E9:3D:B2:4F:8A:87:DA:CA:26:39:FF:FE:70:D5:F2 > X509v3 Authority Key Identifier: > keyid:5D:A3:87:58:67:E9:3D:B2:4F:8A:87:DA:CA:26:39:FF:FE:70:D5:F2 > > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: > Certificate Sign, CRL Sign This Key Usage is more appropriate. When the "Key Usage" is present in a CA certificate, it *MUST* include "Certificate Sign". -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
