[Help-gnutls] CA certificates -- root vs intermediate

Sam Morris sam at robots.org.uk
Wed Apr 4 18:07:25 CEST 2007

I've been using my own CA certificate to secure my access (with SSL/TLS)
to my personal email & web server for a while now. I originally
generated the CA certificate with gnutls' certtool program. I now need
to get the certificate working on a client running Mac OS X.

It's fairly straightforward to import the certificate into OS X's
Keychain application; however, Keychain insists that my CA is only an
"intermediate certificate authority", and therefore OS X refuses to
trust the certificate.

I have gone through the output of 'certtool --info' and 'openssl x509
-text', and have done quite some Googling by now, but I can't find any
way to determine the criteria by which Keychain decides that my
certificate is that of a root authority, or an intermediate authority.

So my question is: is this root/intermediate setting actually in the
certificate itself (in which case it's something I can fix by generating
a new certificate--although I can't find any options for this in
certtol's documentation; is it possible, or will I have to use openssl?)
or is it something I need to do in the Keychain application?

The certificate is available from
https://crypt.ethx.net/robots.org.uk-CA.crt in case anyone wants a copy.

Sam Morris

PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20070404/d2187f6d/attachment.pgp>

More information about the Gnutls-help mailing list