[Users] Certificate Tree

Hi all,
I want to create a CA tree like the following

  RootCA

I have a RootCA, with this RootCA, I can generate, Client certificate or another sub root ca. The second level sub root ca can generate client certificate or another sub CA.
I use openssl (OpenSSL 0.9.6c 21 dec 2001) Until now, I'm able to generate the RootCA, the SubCA and the Client Certificate.
But when I import (PKCS12 format) the client certificate on windows2000, I must also import the SubCa. I must do that because I don't import the SubCA but the RootCA and for the Client Cert, the issuer is the SubCA not the RootCA
I import the SubCA. When I check the SubCA on windows, I see that the private key of the SubCA was also imported. That's not the case of the RootCA private key.

On the openssl.cnf, in the [ usr_cert ] section, the basic constraints is : basicConstraints=critical,CA:TRUE
when I generate the the SubCA and is : basicConstraints=CA:FALSE for the client certificate.

How could I generate a Certificate Tree where I need only to import the SubCA and the Client certificate on windows and where the SubCA's PK is not also imported?

Regards

Jean-Robert Wiame
Belgium

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek