2Mar
Intermediate certificate not allowed to issue certificates?
I'm making a certificate chain:
..|root
.....|intermediate
........|server
When my certificates are installed, the intermediate certificate has an error:
This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate.
As a result, my server certificate is invalid.
My code:
#Root CA
OpenSSL> genrsa -out root.key 4096
OpenSSL> req -new -x509 -days 1826 -key root.key -out root.crt
#Intermidiate CA
OpenSSL> genrsa -out intermediate.key 4096
OpenSSL> req -new -key intermediate.key -out intermediate.csr
#Root signs Intermidiate
OpenSSL> x509 -req -days 1826 -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate.crt
#Server CA
OpenSSL> genrsa -out server.key 4096
OpenSSL> req -new -key server.key -out server.csr
#Intermediate signs Server
OpenSSL> x509 -req -days 1826 -in server.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out server.crt
My config file:
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
x509_extensions = v3_ca
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
keyUsage = digitalSignature, nonRepudiation
extendedKeyUsage = serverAuth,clientAuth,emailProtection,codeSigning
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
[ usr_cert ]
basicConstraints = CA:TRUE
Honestly, I'm a beginner when it comes to making certificates. My configuration file was copied from the internet. I need some help. What am I doing wrong? How do I get rid of the error?