Last question for me (hopefully):
When I created my Root CA, under tab Key Usage, sections "key Usage" and "Extended Key Usage", I did not (forgot) highlight ANY settings such as Certificate Sign or anything else really.
Under "Netscape" tab, same thing: I did NOT select SSL CA or S/MIME CA, etc.
Is that a problem? Should I have done that and thus need to re-create my Root CA?
PS Chris, how about testing this whole thing with me? You can send me your email address via private message here at sourceforge and I will answer.
generally, the extensions are meant to restrict the usage of the certificate.
If an extension is missing, it is assumed to "allow all".
But your users may reject to accept a root CA that authorizes for everything.
But at least the basic constraints should be there.