Hi Elvira, On Fri, Jan 30, 2009 at 01:26:39PM +0300, ?????????? ??????? wrote: > > As said, the steps look just fine, but it might be a problem with your > > CA certificate/configuration. Can you please send your CA certificate > > to the list so that I can verify my assumption that you're missing > > the subjectKeyIdentifier extension on your CA certificate? > > Here it is: > > cacert.pem
as expected, your CA certificate is missing the subjectKeyIdentifier extension. I assume this is somewhat our fault because the documentation on how to generate a CA certificate did not include this extension either. You could now either leave out the extension and change your OpenXPKI configuration for the end-entity certificates, but I would not recommend that, because the authorityKeyIdentifier/subjectKeyIdentifier are actually pretty useful extensions. Or you could regenerate your CA certificate with the line subjectKeyIdentifier = hash added to the '[ ext ]' session of your OpenSSL config file. I've also edited the corresponding Wiki page, see http://wiki.openxpki.org/index.php/Manual/Quickstart/Installation You will then need to delete the existing CA certificate and the alias pointing to it from the database: openxpkiadm certificate remove --name 'yourcaalias' --realm 'your realm' Unfortunately, there is no administrative command to delete the alias, so you will have to touch the DB yourself: DELETE FROM aliases WHERE alias = 'yourcaalias' and pki_realm = 'your realm'; Import the new CA certificate and update the alias, and you should be good to go. HTH, Best regards, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer [email protected] | working @ urn:oid:1.3.6.1.4.1.11417 ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
