Re: 1 Main CA and a subordinate CA 1-Many...how can I sign one ca with another ca...
On Fri, 25 Mar 2005 10:13:38 -0600, Chevalier, Victor T. [EMAIL PROTECTED] wrote: I am trying to create a hirearchy for my CA's...however when I have two separate CA's created similarly: On box 1 Main CA: openssl req -newkey rsa:2048 -days 4380 \ -out cacert.pem -outform PEM -config openssl.cnf On box 2 Subordinate CA: openssl req -newkey rsa:2048 -days 2190 \ -out cacert.pem -outform PEM -config openssl.cnf I try to sign the subordinate CA with the main ca like this: On box1 in the main CA directory: openssl ca -in box2/SubCA/cacert.pem -config openssl.cnf I get an error something along the lines of Expecting: CERTIFICATE REQUEST You actually want to sign the CSR for box2, not the certificate itself. You also probably don't need to generate a self-signed certificate on box 2 anyway, since the real certificate you want is box 2's CSR signed by box 1's CA. That certificate should then be valid for 2190 days... Morgan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
1 Main CA and a subordinate CA 1-Many...how can I sign one ca with another ca...
I am trying to create a hirearchy for my CA's...however when I have two separate CA's created similarly: On box 1 Main CA: openssl req -newkey rsa:2048 -days 4380 \ -out cacert.pem -outform PEM -config openssl.cnf On box 2 Subordinate CA: openssl req -newkey rsa:2048 -days 2190 \ -out cacert.pem -outform PEM -config openssl.cnf The configuration files are almost identical. openssl.cnf: [ ca ] default_ca = CA_PROFILE [ CA_PROFILE ] dir = . certificate = $dir/cacert.pem database= $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days= 7 default_days= 4380 default_md = sha1 policy = CA_PROFILE_Policy x509_extensions = certificate_extensions [ CA_PROFILE_Policy ] commonName = supplied stateOrProvinceName = optional countryName = match emailAddress= optional organizationName= match organizationalUnitName = supplied [ certificate_extensions ] basicConstraints= CA:false subjectKeyIdentifier= hash [ req ] default_bits= 2048 default_keyfile = ./private/cakey.pem default_md = sha1 default_days= 4380 prompt = no distinguished_name = root_ca_DN x509_extensions = root_ca_ext [ root_ca_DN ] commonName = MainCA organizationName= Software organizationalUnitName = Branch countryName = US [ root_ca_ext ] basicConstraints= CA:true subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always I try to sign the subordinate CA with the main ca like this: On box1 in the main CA directory: openssl ca -in box2/SubCA/cacert.pem -config openssl.cnf I get an error something along the lines of Expecting: CERTIFICATE REQUEST Any clues? Thanx! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
