This works for me with 1 intermediate CA: [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical, CA:true, pathlen:1 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = critical,CA:FALSE subjectKeyIdentifier = hash keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth Regards Mark Hack On 9/7/23 08:10, Ronny Wagner via openssl-users wrote:
hello all, i need your help in setting up an intermedia ca that is allowed to issue smime certificates. in my previous attempts, the smime certificate could not authenticate with the intermedia ca. openssl.cnf - RootCA [ v3_user_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, keyCertSign, cRLSign openssl.cnf - UserCA [ smime ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = emailProtection subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer subjectAltName = email:copy I use the following command to create the smime certificate: $ openssl x509 -req -days 365 -in usermail.csr -CA cacert.pem -CAkey private/UserCA.key.pem -CAserial serial -out usermail_finish.pem -setalias " User E-Mail Certificate" -extfile UserCA/openssl.cnf -extensions smime Would you have a tip on where I can start here? Thank your very much.
