Hi Scott, > This is applicable only when my both of my CA's are in a single installation > of OpenXPKI....Practically CA and Sub CA are far a part and in seperate > installations containing seperate databases. I want my SubCA certificate to > be signed by the key of Root CA.......Next i shall import this certificate in > my other installation...The NewCA installation will act as stand alone CA but > its CA certificate should be signed by the key of Root CA to establish a > chain of trust......Kindly guide me how can i do in seperate installations?
basically the same procedure, but in this case you don't need multiple PKI Realms in your configuration. Instead, configure the Root environment to use the Sub CA profile (as explained earlier) and the Issuing CA environment to use the normal end entity profiles. Generate a CA private key on the Issuing CA system, export a certificate request and have it signed by the Root CA with the Sub CA profile. Now import the Root and Sub CA Certificate into the issuing CA environment and set the certificate alias properly: Step 1: Import Root CA Certificate Import Root CA Cert into self-signed realm: openxpkiadm certificate import --config .../config.xml --file root-ca-cert.pem The command prints the certificate identifier of the root ca cert. Use it in the following command Set an alias for the Root CA certificate in the issuing CA realm: openxpkiadm certificate alias --config .../config.xml --realm 'YOUR ISSUING CA REALM' --identifier IDENTIFIER --alias ROOTCA-ALIAS Step 2: Import Sub CA Certificate issued by Root Import issuing CA certificate into issuing CA realm: openxpkiadm certificate import --config .../config.xml --realm 'YOUR ISSUING CA REALM' --file issuing-ca-cert.pem --issuer ROOTCA-ALIAS This import command prints the cert identifier used in the next command: Set an alias that corresponds to the one referenced in config.xml (CA section): openxpkiadm certificate alias --config .../config.xml --realm 'YOUR ISSUING CA REALM' --identifier IDENTIFIER --alias ISSUING-CA-ALIAS Step 3: Restart OpenXPKI and check that it accepts the issuing CA. HTH, Martin ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
