On 30.05.23 14:00, openssl-users-request@xxxxxxxxxxx digested:
From: Yannik Sembritzki <yannik@xxxxxxxxxxxxxx> I am trying to cross-sign a third party certificate which is *not* self signed (e.g. a third party intermediate CA, or even a particular client certificate) [...] This results in the following error: /Error with certificate to be certified - should be self-signed//
[...]
Could anybody explain the reason for this restriction?
I'm not saying that these hands down invalidate each and every use case, but off the top of my head:
1. The cert (or, for that matter, CSR) being *self* signed serves as proof that the requesting party is in possession of the private key. 2. You want to sign info on the subject you verified, not someone else's interpretation of the subject; e.g., a person's cert from a 3rd party CA giving the OU as "FooBar E-Mail-Reply Verified Personal Certificates" is unlikely to correctly state the dpt. the person works in. (Assuming that you would want to copy *anything* beyond the pubkey from the preexisting cert into the new one, of course.) Regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
