I have an OpenSSL CA running on a BSD 6.1 machine as the root, and am trying to have that act as the parent to subordinate Windows online enterprise CAs.
The installation went fine. I signed the Windows subordinate CA cert request with SSL, then converted it to pkcs12 to be installed. That's where I get the problem. When I try to installed the pkcs12 cert on the Windows machine, it doesn't like it, giving me an "ASN1 unexpected end of data". I suspect that possibly it is because it isn't seeing the private key when OpenSSL converts to pkcs12. I was actually only able to get the .pem -> .p12 conversion to work by using the -nokeys option. So let me walk you through each step. 1. Received Windows CA generated request file (.der). 2. Signed it using "ca -config blahblah/openssl.cnf -in windowsreqfile.der -out newcert.pem" 3. Converted it using "pkcs12 -export -in newcert.pem -out newercert.p12 -nokeys" So as I said I could only get the conversion command to work using the nokeys option. If I didn't, it would error out on me saying "unable to load private key". This tells me I may have missed a step in the signing process, but I'm unsure what exactly. Do I need to execute another command after step 2 to output a separate private key file? Shouldn't the private key be included in the .pem file in step 2?
