On Fri, Feb 08, 2019 at 02:12:59PM +0100, joris dedieu wrote: > Hello Pki users, > I found how to issue a sub certificate with pki ca-authority-create > and export certificate with ca-authority-show, but I don't understand > how to export Sub CA key. I need it to sign some certificates with > puppet or openssl. Is there a way to do so ? > > Best Regards > Joris > You really shouldn't export the sub-CA key. There are two alternatives:
1. Use Dogtag to sign the required certificates using the lightweight sub-CA. For example: pki ca-cert-request-submit --csr-file PATH --issuer-id UUID 2. Generate a keypair and CSR for the Puppet/OpenSSL CA, and create the certificate in Dogtag using a CA profile. Dogtag never sees the sub-CA's private key. Hope that helps, Fraser _______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
