On Fri, 25 Mar 2005 10:13:38 -0600, Chevalier, Victor T. <[EMAIL PROTECTED]> wrote: > I am trying to create a hirearchy for my CA's...however when I have two > separate CA's created similarly: > > On box 1 Main CA: > openssl req -newkey rsa:2048 -days 4380 \ > -out cacert.pem -outform PEM -config openssl.cnf > > On box 2 Subordinate CA: > openssl req -newkey rsa:2048 -days 2190 \ > -out cacert.pem -outform PEM -config openssl.cnf
> I try to sign the subordinate CA with the main ca like this: > On box1 in the main CA directory: > openssl ca -in box2/SubCA/cacert.pem -config openssl.cnf > > I get an error something along the lines of Expecting: CERTIFICATE > REQUEST You actually want to sign the CSR for box2, not the certificate itself. You also probably don't need to generate a self-signed certificate on box 2 anyway, since the real certificate you want is box 2's CSR signed by box 1's CA. That certificate should then be valid for 2190 days... Morgan ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]