On Wed, Dec 27, 2006, Aaron Barnes wrote: > With Windows certificate services, upon installation it will ask you to > select the type of CA the server is to become from 4 different options. > I've chosen an enterprise online CA, however its parent is offline, so > of course I cannot make an online certificate request. I saved the > actual certificate request as a .der file (Windows defaults to .req I > believe) and copied to the OpenSSL parent box. > > Perhaps my signing command was in error. I used "ca -config > /pathtoconfigfile/openssl.cnf -out thecertificate.pem -in > windowsrequestfile.der". > > When installing the subordinate's certificate, it does not like .pem > files...which doesn't really surprise me. The available options are > .cer, .crt, .p12, .pfx and .p7b. I was using pkcs12 as it indicated > there was an available export option for that command. When I tried to > use the .pem file it would give me the error "The certificate is not a > CA certificate". > > I also executed the command you suggested and tried installing the .der > file; it gives the same error. >
Yes the signing command is incorrect. By default the certificate is an end entity certificate for OpenSSL not a CA certificate. Try the command line switch: -extensions v3_ca Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
