Re: [Openca-Users] problem with sub-CAs initialization

[pierre lhostis]

Hello,
the OpenCA guide explains it quite well (OpenCA guide, 0.9.2.1 p.146 1.9
How can I setup a sub CA?):

1. Initialize the SubCA (initialize database, generate secret key,
generate request) 
2. export request (this request will be saved in the local device for
data exchange that you set up in the config.xml file)
3. untar the export (to get the careq.pem), the next steps are only
correct if you use OpenCA for your Root CA 
4. Point to the Root CA public interface -> request a certificate ->
server request -> browse for the careq.pem and submit the request 
5. Point to the Root CA RA interface and approuve the request, upload to
the Root CA CA; point to CA interface, issue the certificate 
6. Download the certificate for the sub CA via the RA or public
interface of the Root CA 
7. rename the file to cacert.pem and manually make a new tar (and put it
in the local device for data exchange)
8. Point your browser to the SubCA CA interface and import CA
certificate approuved by Root CA

+ Final setup (OpenCA guide, 1.1.5 p.82), you have to gather all the CA
certificates of the Certificate Chain in the var/crypto/chain
and then you can click on the "Rebuild CA Chain" button.
You should see something like that displaying for a CA just under the
Root CA:
Description      cacert.crt ... e773f437.0   rootca.crt ... 363c2e53.0
(NB. personnaly, I had to use .crt extensions to make it work)

This final setup is not clear for me, because on one of my subCA, I
didn't gather the CA certificates, just rebuilding the CA chain with the
current CA certificate (diqplay would look like : Description
cacert.crt ... e773f437.0), and it seems to work well when I use the
certificates issued with this CA.
Can someone explain me what is the big difference?

Cheers,
Pierre


> Hi,
>  
> I want to have a pki's hierarchy with 1 Root CA and 2 sub CA in the
> same machine. I followed these steps :
> - Install the root CA's
> in /usr/local/ca/root 
> ----------------------------------------------------------------------------- 
> OK
> - Initialization of root CA (database, secret key, certificate request
> and self signed certificate) --- OK
> - Initialization of initial administrator
> -------------------------------------------------------------------------------------
>  OK
> - Initialization of RA certificate
> ---------------------------------------------------------------------------------------------
>  OK
> - Install the first sub CA in /usr/local/ca/subCA1
> ------------------------------------------------------------------- OK
> - Initialization of sub CA
> ------------------------------------------------------------------------------------------------
>  FAILED
> - Install the second sub CA in /usr/local/ca/subCA2
> ------------------------------------------------------------- OK
> - Initialization of sub CA
> ------------------------------------------------------------------------------------------------
>  FAILED
>  
> In the sub CA 's initialization, I managed to create the secret key
> pair and the certificate request, and to export CA certificate request
> (Signed by another CA).
> But this is the problem, where do i have to export this request ?
> directly in Root CA interface ? in RA interface of Root CA ? in Pub
> interface of RA ? I don't know !!!
> I tried all of this possibilities and anyone succeeded. Can anybody
> help me ?
>  
> Configuration : FEDORA CORE 3 - Openca 0.9.2.1 - openssl 0.9.7g - DB
> database - no ldap
>  
> Thanks for your answers
> 
> 
> ______________________________________________________________________
> D�couvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour
> vos mails !
> Cr�ez votre Yahoo! Mail



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users