This is a discussion on Re: OpenSSL with Windows subordinates - Openssl ; On Wed, Dec 27, 2006, Aaron Barnes wrote: > I have an OpenSSL CA running on a BSD 6.1 machine as the root, and am > trying to have that act as the parent to subordinate Windows online > enterprise ...
On Wed, Dec 27, 2006, Aaron Barnes wrote:
> I have an OpenSSL CA running on a BSD 6.1 machine as the root, and am
> trying to have that act as the parent to subordinate Windows online
> enterprise CAs.
> The installation went fine. I signed the Windows subordinate CA cert
> request with SSL, then converted it to pkcs12 to be installed. That's
> where I get the problem. When I try to installed the pkcs12 cert on the
> Windows machine, it doesn't like it, giving me an "ASN1 unexpected end
> of data".
> I suspect that possibly it is because it isn't seeing the private key
> when OpenSSL converts to pkcs12. I was actually only able to get the
> .pem -> .p12 conversion to work by using the -nokeys option.
> So let me walk you through each step.
> 1. Received Windows CA generated request file (.der).
> 2. Signed it using "ca -config blahblah/openssl.cnf -in
> windowsreqfile.der -out newcert.pem"
> 3. Converted it using "pkcs12 -export -in newcert.pem -out
> newercert.p12 -nokeys"
> So as I said I could only get the conversion command to work using the
> nokeys option. If I didn't, it would error out on me saying "unable to
> load private key". This tells me I may have missed a step in the
> signing process, but I'm unsure what exactly. Do I need to execute
> another command after step 2 to output a separate private key file?
> Shouldn't the private key be included in the .pem file in step 2?
The private key resides on the Windows machine and doesn't leave it which is
as it should be. A PKCS#12 file is only really used when the private key and
matching certificate are present.
You really need to just install the certificate and have Windows associate the
key with it.
How you do that depends on exactly what you did in Step #1. You may be able to
just install the newcert.pem file or you can convert it to DER using:
openssl x509 -in newcert.pem -outform DER -out newcert.der
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
OpenSSL Project http://www.openssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com