Hi all,
I'm using openca.0.9.1.3 for root- and sub-ca and after doing the export/signing stuff as described by Pierre Scholtes (Subject: get a cert for a Sub-CA)
1) Initialize the SubCA ( initialize database, generate secret key, generate request)
2) export request
3) untar the export (to get the careq.pem)
4)Point to the RootCA public interface, ->request a certificate, ->server request, browse for the careq.pem and submit the request
5)Point to the RootCA ra interface and approuve the request, upload to the RootCA CA; point to CA interface, issue the certificate, download to the RA.
6)Untar the export from RootCA CA to RootCA RA to get the new certificate: 5.pem.
7)Rename 5.pem to cacert.pem and manually make a new tar.
6)Point my browser to the SubCA CA interface. ->import CA certificate approuved by Root CA
I get on importing the signed cert on the sub-ca the error:
- error 690: Missing configuration keyword: UnpackArchive
I forgot to update the script importCACert. Please try the attached version.
- import into db: error 690 - error (1) while convertig certificate
So, has anybody some idea? What can I do?
Usually this happen if the CA certificate is not a pure PEM certificate remove anything else from the certificate including OpenCA headers. There should only be the certificate:
-----BEGIN CERTIFICATE----- .... -----END CERTIFICATE-----
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
## OpenCA - CA Command ## (c) 2001 by OpenCA Group ## ## File Name: importCACert ## Brief: Imports CA Certificate ## Description: Imports Signed CA Certificate from parent CA ## Parameters: none ## Cfg Keyword: UnpackArchive, ImportDev, opencadir
sub cmdImportCACert {
## To import the CA certificate we use the same import device as the
## one used for the certificates (is there any reason for not doing so ?)
## Get required parameters from the configuration file
my $cmd = getRequired( 'EXPORT_IMPORT_LOCAL_IMPORT' );
my $orig = getRequired( 'EXPORT_IMPORT_LOCAL_DEVICE' );
my $makeCmd = getRequired( 'MakePath');
## Other reserved variables
my $cacertFile = getRequired ( 'CACertificate' );
my $cacertDER = getRequired ( 'CACertificateDER' );
my $cacertCRT = getRequired ( 'CACertificateCRT' );
my $cacertTXT = getRequired ( 'CACertificateTXT' );
my $chainDir = getRequired ( 'ChainDir' );
my $certDir = getRequired ( 'CACertDir' );
print startLogPage("Importing CA Certificate");
$cmd = $query->subVar( $cmd, '@__DEVICE__@', $orig );
$cmd = $query->subVar( $cmd, '@__DEST__@', $certDir );
## If there is already a cacertfile, than we should move it to .old
if ( -e "$cacertFile" ) {
$tools->moveFiles( SRC=>$cacertFile,
DEST=>$cacertFile.".${$}_old");
$msg = i18nGettext ("Old certificate file is __FILE__.", "__FILE__",
"$cacertFile.${$}_old");
}
unlink( "$cacertDER" ) if ( -e "$cacertDER" );
unlink( "$cacertTXT" ) if ( -e "$cacertTXT" );
print addLogSection(gettext("Importing CA Certificate into filesystem ... "));
my $ret = `$cmd 2>&1`;
if( $? != 0 ) {
print addErrorLog(i18nGettext("Importing CA Certificate Failed from
__DEVICE__!", "__DEVICE__", $orig) );
closePage();
return undef;
}
print addLogLine(gettext("Ok."));
print addPreLogLine( $ret );
print closeLogSection();
print addLogSection(gettext("Importing CA Certificate to dB ... "));
$cryptoShell->dataConvert( DATATYPE=>CERTIFICATE,
INFILE=>$cacertFile,
OUTFILE=>$cacertDER,
OUTFORM=>"DER" );
configError( "<BR>".gettext("Error (1) while convertig certificate")."<BR>" ) if( $?
!= 0 );
$cryptoShell->dataConvert( DATATYPE=>CERTIFICATE,
INFILE=>$cacertFile,
OUTFILE=>$cacertTXT,
OUTFORM=>"TXT" );
configError( "<BR>".gettext("Error (2) while convertig certificate")."<BR>" ) if( $?
!= 0 );
$crt = new OpenCA::X509( SHELL=>$cryptoShell, INFILE=>"$cacertFile" );
if( not $crt ) {
configError( "<BR>".i18nGettext("Error while loading CA certificate
(__FILE__).",
"__FILE__", $cacertFile) );
} else {
##// Let's link to the chain dir
$tools->copyFiles ( SRC=>"$cacertFile",
DEST=>"$cacertCRT");
##// Let's make the links for chain verification
$ret = `cd ${chainDir}; $makeCmd`;
if ( not $db->storeItem( DATATYPE=>"VALID_CA_CERTIFICATE",
OBJECT=>$crt,
MODE=>"INSERT")) {
if ( not $db->storeItem( DATATYPE=>"VALID_CA_CERTIFICATE",
OBJECT=>$crt,
MODE=>"UPDATE")) {
configError (gettext("Error while storing CA cert to dB!"));
}
}
}
print addLogLine( gettext("Ok.") );
print addPreLogLine ( $crt->getTXT() );
print addPreLogLine ( $ret );
print closeLogSection();
closePage();
return 1;
}
1;
