This is a multi-part message in MIME format.

------_=_NextPart_001_01C729D9.A9F57CC8
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

I have an OpenSSL CA running on a BSD 6.1 machine as the root, and am=20
trying to have that act as the parent to subordinate Windows online=20
enterprise CAs.=20


The installation went fine. I signed the Windows subordinate CA cert=20
request with SSL, then converted it to pkcs12 to be installed. That's=20
where I get the problem. When I try to installed the pkcs12 cert on the=20
Windows machine, it doesn't like it, giving me an "ASN1 unexpected end=20
of data".=20


I suspect that possibly it is because it isn't seeing the private key=20
when OpenSSL converts to pkcs12. I was actually only able to get the=20
..pem -> .p12 conversion to work by using the -nokeys option.=20


So let me walk you through each step.=20


1. Received Windows CA generated request file (.der).=20
2. Signed it using "ca -config blahblah/openssl.cnf -in=20
windowsreqfile.der -out newcert.pem"=20
3. Converted it using "pkcs12 -export -in newcert.pem -out=20
newercert.p12 -nokeys"=20


So as I said I could only get the conversion command to work using the=20
nokeys option. If I didn't, it would error out on me saying "unable to=20
load private key". This tells me I may have missed a step in the=20
signing process, but I'm unsure what exactly. Do I need to execute=20
another command after step 2 to output a separate private key file?=20
Shouldn't the private key be included in the .pem file in step 2?=20

------_=_NextPart_001_01C729D9.A9F57CC8
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable




charset=3Dus-ascii">
6.5.7226.0">
OpenSSL with Windows subordinates




I have an OpenSSL CA running on a BSD 6.1 =
machine as the root, and am

trying to have that act as the parent to subordinate Windows online

enterprise CAs.




The installation went fine. I signed the Windows =
subordinate CA cert

request with SSL, then converted it to pkcs12 to be installed. =
That's

where I get the problem. When I try to installed the pkcs12 cert on =
the

Windows machine, it doesn't like it, giving me an "ASN1 unexpected =
end

of data".




I suspect that possibly it is because it isn't =
seeing the private key

when OpenSSL converts to pkcs12. I was actually only able to get the

..pem -> .p12 conversion to work by using the -nokeys option.




So let me walk you through each step.




1. Received Windows CA generated request file =
(.der).

2. Signed it using "ca -config blahblah/openssl.cnf -in

windowsreqfile.der -out newcert.pem"

3. Converted it using "pkcs12 -export -in newcert.pem -out

newercert.p12 -nokeys"




So as I said I could only get the conversion =
command to work using the

nokeys option. If I didn't, it would error out on me saying "unable =
to

load private key". This tells me I may have missed a step in =
the

signing process, but I'm unsure what exactly. Do I need to execute

another command after step 2 to output a separate private key file?

Shouldn't the private key be included in the .pem file in step 2?
=





------_=_NextPart_001_01C729D9.A9F57CC8--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org