Not certified for Certificate Signing

[Guest]

HELP!!!

We are trying to convert a certificate from .CER format to OpenSSL format,
for Active Directory domain controllers so that Siteminder can use them. In
Windows everything looks fine (the certificate chain up through the
intermediate CA to the root CA is fine) but when we try to verify the
certificates generated via autoenrollment for the DC's we get this message:

"Not certified for Certificate Signing"

Here's the really strange part: as an experiment I exported additional
copies of rht .CER versions of the two certificates which were successfully
converted to OpenSSL back in December of last year. We have to use Netscape
4.x in order to do this. They are obviously working because Siteminder is
successfully using them right now. But even THEY gave the same "Not
certified for Certificate Signing" when I took them through the process
again. I'm thinking there must be something in the process I'm not doing
right. I know they're not really for signing other certificates, they're
just for client/server authentication and for LDAP over SSL, but I don't
know what I need to do to get them verified.

Any suggestions appreciated

 

[S. Pidgorny]

The message does make sense: the DC certificate doesn't have the Certificate
Signing key usage attribute. Only CA certificates have that attribute. Why
would SiteMinder require using a CA certificate?