Hi everyone,
I am trying to cross-sign a third party certificate which is
*not* self signed (e.g. a third party intermediate CA, or even a
particular client certificate) like this:
openssl x509 -in third-party.crt -CA /etc/pki/r1/ca.crt -CAkey
/etc/pki/r1/private/ca.key -out third-party-cross-signed.crt
-set_serial 1000
This results in the following error: Error with certificate
to be certified - should be self-signed
The same thing works for signing third-party root CAs (as they are
self-signed), but that might be too broad in some situations.
Could anybody explain the reason for this restriction?
Best regards
Yannik
