Hi
I have tried to set up a hierarchy with a RootCA (openCA) and 2 subCAs (1 openCA, 1 Windows Server 2003).
I have some problems to get the Certficates for my SubCAs.
Here is how I tried to do (I did not find any doc, so if this isn't the correct way, please tell me):
1) Initialize the SubCA ( initialize database, generate secret key, generate request)
2) export request
3) untar the export (to get the careq.pem)
4)Point to the RootCA public interface, ->request a certificate, ->server request, browse for the careq.pem and submit the request
5)Point to the RootCA ra interface and approuve the request, upload to the RootCA CA; point to CA interface, issue the certificate, download to the RA.
6)Untar the export from RootCA CA to RootCA RA to get the new certificate: 5.pem.
7)Rename 5.pem to cacert.pem and manually make a new tar.
6)Point my browser to the SubCA CA interface. ->import CA certificate approuved by Root CA
and this is where it fails:
I got errors that some params could not be found, I solved this by hardcoding these in importCACert (params UnPackArchive and ImportDev), but the import still fails; I get "Importing CA certificate from fd0 failed" and 255 as error number below.
So my questions are:
Is the procedure to do this correct? Is there a bug in importCACert?What am I doing wrong??
Concerning Windows I did the same except that my request comes from a Windows CA. Here again I had no problems to issue the certificate, but the import of the cacert.pem file also fails (with a message telling that there was an error reading the file). I tried to convert the cacert .pem file to another format to make it importble by WIndows ( Windows expects a .crt or a pkcs7 file) but also this failed. Is it possible to do such conversions?
Is there someone who has a working hierarchy with openCA and windows?
Thanx for any help
Pierre
PS: I'm using redhat 8 and openCA 0.9.1-1
_________________________
Pierre Scholtes
Unicible
tel: +41 (0)21 644 6111
fax: +41 (0)21 644 6300
mailto:[EMAIL PROTECTED]
http://www.unicible.ch
- Re: [Openca-Users] get a cert for a Sub-CA Pierre Scholtes
- Re: [Openca-Users] get a cert for a Sub-CA Michael Bell
- Re : Re: [Openca-Users] get a cert for a Sub-CA Pierre Scholtes
- Re: Re : Re: [Openca-Users] get a cert for a ... Michael Bell
- [Openca-Users] R?f. : Re: Re : Re: [Openc... Pierre Scholtes
- Re: [Openca-Users] get a cert for a ... Michael Bell
- Re. : Re: [Openca-Users] get a c... Pierre Scholtes
