• caglararli@hotmail.com
  • 05386281520

Intermediate certificate not allowed to issue certificates?

Çağlar Arlı      -    35 Views

Intermediate certificate not allowed to issue certificates?

I'm making a certificate chain:

..|root
.....|intermediate
........|server

When my certificates are installed, the intermediate certificate has an error:

This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate.

As a result, my server certificate is invalid.

My code:

#Root CA
OpenSSL> genrsa -out root.key 4096
OpenSSL> req -new -x509 -days 1826 -key root.key -out root.crt

#Intermidiate CA
OpenSSL> genrsa -out intermediate.key 4096
OpenSSL> req -new -key intermediate.key -out intermediate.csr

#Root signs Intermidiate
OpenSSL> x509 -req -days 1826 -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate.crt

#Server CA
OpenSSL> genrsa -out server.key 4096
OpenSSL> req -new -key server.key -out server.csr

#Intermediate signs Server
OpenSSL> x509 -req -days 1826 -in server.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out server.crt

My config file:

dir                     = .

[ ca ]
default_ca              = CA_default

[ CA_default ]
serial                  = $dir/serial
database                = $dir/certindex.txt
new_certs_dir           = $dir/certs
certificate             = $dir/cacert.pem
private_key             = $dir/private/cakey.pem
default_days            = 365
default_md              = md5
preserve                = no
email_in_dn             = no
nameopt                 = default_ca
certopt                 = default_ca
policy                  = policy_match
x509_extensions         = v3_ca

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 1024              # Size of keys
default_keyfile         = key.pem           # name of generated keys
default_md              = md5               # message digest algorithm
string_mask             = nombstr           # permitted characters
distinguished_name      = req_distinguished_name
req_extensions          = v3_req
keyUsage                = digitalSignature, nonRepudiation
extendedKeyUsage        = serverAuth,clientAuth,emailProtection,codeSigning 

[ req_distinguished_name ]
# Variable name                Prompt string
#-------------------------    ----------------------------------
commonName                     = Common Name (hostname, IP, or your name)
commonName_max                 = 64
0.organizationName             = Organization Name (company)
organizationalUnitName         = Organizational Unit Name (department, division)
emailAddress                   = Email Address
emailAddress_max               = 40
localityName                   = Locality Name (city, district)
stateOrProvinceName            = State or Province Name (full name)
countryName                    = Country Name (2 letter code)
countryName_min                = 2
countryName_max                = 2

# Default values for the above, for consistency and less typing.
# Variable name                Value
#------------------------     ------------------------------
0.organizationName_default     = My Company
localityName_default           = My Town
stateOrProvinceName_default    = State or Providence
countryName_default            = US

[ v3_ca ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always,issuer:always

[ v3_req ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier        = hash

[ usr_cert ]
basicConstraints            = CA:TRUE

Honestly, I'm a beginner when it comes to making certificates. My configuration file was copied from the internet. I need some help. What am I doing wrong? How do I get rid of the error?