Hi Ronny,
just a shot from the hip, your root CA has pathlen:1 (or more) in its
basicConstraints? See
<https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html>
Hope it helps
Ted
On 07.09.2023 15:10, Ronny Wagner via openssl-users wrote:
hello all,
i need your help in setting up an intermedia ca that is allowed to issue smime certificates.
in my previous attempts, the smime certificate could not authenticate with the intermedia ca.
openssl.cnf - RootCA
[ v3_user_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
openssl.cnf - UserCA
[ smime ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
subjectAltName = email:copy
I use the following command to create the smime certificate:
$ openssl x509 -req -days 365 -in usermail.csr -CA cacert.pem -CAkey private/UserCA.key.pem -CAserial serial -out usermail_finish.pem -setalias " User E-Mail Certificate" -extfile UserCA/openssl.cnf -extensions smime
Would you have a tip on where I can start here?
Thank your very much.
