Your assessment is correct even though I didn't provide the openca version
I am running (0.9.1). The steps provided completed the chain that was
necessary. Thanks so much for your fast reply...
------------------
David Blaine, GCIA
Network Engineer
CSC for GDLS
Desk: 586-825-7650
Cell: 810-217-8041
Email: [EMAIL PROTECTED]
On Sun, 21 Dec 2003, Michael Bell wrote:
> Hi David,
>
> David W. Blaine wrote:
> > Ok, I see where I need to copy the root ca into var/crypto/chains as root-ca.crt
> > and then rebuild the chain. Does this mean I need to regenerate the user
> > certificates or can I simply re-download them in PKCS12 format?
>
> >>I have generated certificates from sub-ca successfully but they do not include
> >>the root certificate portion of the chain so they fail when used in a cisco
> >> vpn.
> >
> >>Can you tell me what I need to do?
>
> To ensure that I understand your problem:
>
> 1. You try to setup a cisco VPN
> 2. Your OpenCA version is unknown (0.9.1.x?).
> 3. You issue the certificates from a sub CA.
> 4. You created the key with OpenCA.
> 5. You want to use PKCS#12 for roll-out
> 5. You want to roll-out the certs with a complete chain inside.
>
> If this is fully correct then I have a typical open source solution.
>
> 1. Go to OPENCADIR/lib/cmds
> 2. Edit send_cert_key_pkcs12
> 2.1. vi send_cert_key_pkcs12
> 2.2. there is a line
>
> my $cacert = getRequired ('....
>
> This line defines a file which includes all CA certificates which will
> be included into the PKCS#12 file. Usually we only include our CA
> certificate. This is only the sub CA certificate in your case.
>
> 2.3. Set an individual filename for the chain
>
> my $cacert = "/my/openca/dir/var/crypto/cacerts/blaine.pem";
>
> 2.4 create an individual file for the chain
>
> Now you have to create the file blaine.pem. This file has to include all
> needed CA certs in PEM format. Please remember to include a begin and
> end line before and after every CA certificate like for every normal
> PEM-formatted CA certificate.
>
> I hope this works for you.
>
> Michael
> --
> -------------------------------------------------------------------
> Michael Bell Email: [EMAIL PROTECTED]
> ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482
> (Computing Centre) Fax: +49 (0)30-2093 2704
> Humboldt-University of Berlin
> Unter den Linden 6
> 10099 Berlin Email (private): [EMAIL PROTECTED]
> Germany http://www.openca.org
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
> Free Linux Tutorials. Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Openca-Users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/openca-users
>
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
