Hi Scott, > I applied your suggested configuration and was able to create a Sub CA > certificate...i also added a "Sub CA" role in the Sub CA profile. The Sub > CA's certificate was successfully generated. I used "Accounts Department" as > my Sub CA name....Then i imported this certificate into a seperate OpenXPKI > installation. > Here is the Certificate import output...
looks good. > All happened successfully and i saw the Certificate chain in this new Sub > CA.....Then i requested a user certificate which was also generated > successfully. This indicates you set it up properly. > Now my next task was to create a Sub CA certificate from my "Accounts > Department" Sub CA....so similarly i replicated those profile Sub CA tags in > Sub CA installation. But this time Error occured "(internal) Determine > Issuing CA". The workflow stalled when it reached the point for selecting the proper issuing CA. I suggest you restart the openxpki daemon in debug mode (openxpkictl start --debug 128) and have a look at the stderr.log output (search from the bottom upwards). Search for "thrown" to find the first exception that is thrown by the daemon. If you look a bit upwards the exception tag should help you find the problem. >From your description I cannot tell the cause of the problem. > I am attaching my Root CA Certificate, Sub CA Certificate, User Certificate > generated from Sub CA, Error Snapashot, DB Entries and Certificate Chain > Snapshot. BTW, you should not set typical end-entity key usages (such as TLS Client) in Sub CA certificates. Certificate sign and CRL sign should be enough. cheers Martin ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
