Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to set CA:TRUE, in an existing cert

61 views
Skip to first unread message

Darázs Attila

unread,
May 12, 2010, 6:38:23 AM5/12/10
to
Hi to everyone on the list,

Please help me figure out this. I'm trying to add the CA:TRUE
constraint to one of my existing cert (the GTE CyberTrust Global Root,
actually, can be downloaded here:
http://ugykezelo.elte.hu/files/gte-cybertrust-global-root.crt ).

I found in a different cert, that when I issue the
$ openssl x509 -text -in good-ca-cert.crt

command, it includes the following info:
X509v3 Basic Constraints:
CA:TRUE

And the GTE cert lacks in this.

Explanation why I need this:
I'm trying to install a CA cert on my Android phone, to use my
university WiFi account, via http://www.realmb.com/droidCert/ I would
need to install the GTE CyberTrust Root cert, but it is getting
registered as a client cert, not a CA one. If I try to install one
with CA:TRUE, then it's working properly.

Can you tell me how to add this CA:TRUE propery to a certificate?

Thanks in advance,
--Attila
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Erwann ABALEA

unread,
May 12, 2010, 8:51:18 AM5/12/10
to
Hello,

Hodie IV Id. Mai. MMX, Dar�zs Attila scripsit:


> Please help me figure out this. I'm trying to add the CA:TRUE
> constraint to one of my existing cert (the GTE CyberTrust Global Root,
> actually, can be downloaded here:
> http://ugykezelo.elte.hu/files/gte-cybertrust-global-root.crt ).

First, you can't modify an existing certificate without invalidating
its signature.
Second, this certificate is a V1 one, and extensions were added to V3
of the X.509 standard. You can't then add the basicConstraints
extension.

> Explanation why I need this:
> I'm trying to install a CA cert on my Android phone, to use my
> university WiFi account, via http://www.realmb.com/droidCert/ I would
> need to install the GTE CyberTrust Root cert, but it is getting
> registered as a client cert, not a CA one. If I try to install one
> with CA:TRUE, then it's working properly.

--
Erwann ABALEA <erwann...@keynectis.com>
-----
Computers can never replace human stupidity.

Darázs Attila

unread,
May 12, 2010, 9:37:44 AM5/12/10
to
So basically if I don't find a cert with the correct options, I'm screwed.
Thank you for the explanation.

Attila

2010/5/12 Erwann ABALEA <erwann...@keynectis.com>:
> Hello,
>
> Hodie IV Id. Mai. MMX, Darázs Attila scripsit:

Peter Sylvester

unread,
May 12, 2010, 12:03:51 PM5/12/10
to

> I'm trying to install a CA cert on my Android phone, to use my
> university WiFi account, via http://www.realmb.com/droidCert/ I would
> need to install the GTE CyberTrust Root cert, but it is getting
> registered as a client cert, not a CA one. If I try to install one
> with CA:TRUE, then it's working properly.
>
> Can you tell me how to add this CA:TRUE propery to a certificate?
>
Make your own root, and then "cross-certify"
the GTE public key and id adding the appropriate
extensions.
0 new messages