[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: CA certificates -- root vs intermediate
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: CA certificates -- root vs intermediate |
Date: |
Thu, 05 Apr 2007 22:57:44 +0200 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.95 (gnu/linux) |
Sam Morris <address@hidden> writes:
> I've been using my own CA certificate to secure my access (with SSL/TLS)
> to my personal email & web server for a while now. I originally
> generated the CA certificate with gnutls' certtool program. I now need
> to get the certificate working on a client running Mac OS X.
>
> It's fairly straightforward to import the certificate into OS X's
> Keychain application; however, Keychain insists that my CA is only an
> "intermediate certificate authority", and therefore OS X refuses to
> trust the certificate.
>
> I have gone through the output of 'certtool --info' and 'openssl x509
> -text', and have done quite some Googling by now, but I can't find any
> way to determine the criteria by which Keychain decides that my
> certificate is that of a root authority, or an intermediate authority.
>
> So my question is: is this root/intermediate setting actually in the
> certificate itself (in which case it's something I can fix by generating
> a new certificate--although I can't find any options for this in
> certtol's documentation; is it possible, or will I have to use openssl?)
> or is it something I need to do in the Keychain application?
Basically, root certificates have subject==issuer, intermediate
certificates have subject!=issuer.
> The certificate is available from
> https://crypt.ethx.net/robots.org.uk-CA.crt in case anyone wants a copy.
The certificate is missing the 'key usage' bits of certificate
signing, and a subject key ID. But that doesn't seem relevant to the
error message you got. And, many commercial CAs also lack those
fields so you aren't alone in this.
I think you'll need to debug this as a Keychain problem further, to
understand exactly why it is complaining. Can you add any other
certificate as a new trusted root CA?
/Simon