David W. Blaine wrote:
Ok, I see where I need to copy the root ca into var/crypto/chains as root-ca.crt and then rebuild the chain. Does this mean I need to regenerate the user certificates or can I simply re-download them in PKCS12 format?
I have generated certificates from sub-ca successfully but they do not include the root certificate portion of the chain so they fail when used in a cisco vpn.
Can you tell me what I need to do?
To ensure that I understand your problem:
1. You try to setup a cisco VPN 2. Your OpenCA version is unknown (0.9.1.x?). 3. You issue the certificates from a sub CA. 4. You created the key with OpenCA. 5. You want to use PKCS#12 for roll-out 5. You want to roll-out the certs with a complete chain inside.
If this is fully correct then I have a typical open source solution.
1. Go to OPENCADIR/lib/cmds 2. Edit send_cert_key_pkcs12 2.1. vi send_cert_key_pkcs12 2.2. there is a line
my $cacert = getRequired ('....
This line defines a file which includes all CA certificates which will be included into the PKCS#12 file. Usually we only include our CA certificate. This is only the sub CA certificate in your case.
2.3. Set an individual filename for the chain
my $cacert = "/my/openca/dir/var/crypto/cacerts/blaine.pem";
2.4 create an individual file for the chain
Now you have to create the file blaine.pem. This file has to include all needed CA certs in PEM format. Please remember to include a begin and end line before and after every CA certificate like for every normal PEM-formatted CA certificate.
I hope this works for you.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
