On Fri, Feb 08, 2019 at 10:53:08AM -0800, Marc Sauton wrote: > I always use the pkispawn command to create instances, not "pki > ca-authority-create", so I have a doubt. > To clarify, ca-authority-create creates a lightweight sub-CA within an existing Dogtag CA instance. For more info see https://www.dogtagpki.org/wiki/Lightweight_sub-CAs.
> But try to check for a related PKCS #12 file with extension .p12 in ~/ , or > use certutil in /etc/pki/*/alias/ , the default > being /etc/pki/pki-tomcat/alias/ > > If there is a p12 file, the key material is wrapped, if not, use pk12util > to create a p12 file from the NSS db directory. > The lightweight CA keys indeed live in /etc/pki/pki-tomcat/alias NSSDB. No PKCS #12 file is created. You could export them yourself, but you probably shouldn't (unless for backup). I suggest alternatives in my other reply. Cheers, Fraser > If this using an HSM, do not export, or only use the vendor's tools. > Thanks, > M. > > On Fri, Feb 8, 2019 at 5:13 AM joris dedieu <joris.ded...@gmail.com> wrote: > > > Hello Pki users, > > I found how to issue a sub certificate with pki ca-authority-create > > and export certificate with ca-authority-show, but I don't understand > > how to export Sub CA key. I need it to sign some certificates with > > puppet or openssl. Is there a way to do so ? > > > > Best Regards > > Joris > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users@redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > _______________________________________________ > Pki-users mailing list > Pki-users@redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
