With Windows certificate services, upon installation it will ask you to
select the type of CA the server is to become from 4 different options.
I've chosen an enterprise online CA, however its parent is offline, so
of course I cannot make an online certificate request. I saved the
actual certificate request as a .der file (Windows defaults to .req I
believe) and copied to the OpenSSL parent box.

Perhaps my signing command was in error. I used "ca -config
/pathtoconfigfile/openssl.cnf -out thecertificate.pem -in
windowsrequestfile.der".

When installing the subordinate's certificate, it does not like .pem
files...which doesn't really surprise me. The available options are
..cer, .crt, .p12, .pfx and .p7b. I was using pkcs12 as it indicated
there was an available export option for that command. When I tried to
use the .pem file it would give me the error "The certificate is not a
CA certificate". =20

I also executed the command you suggested and tried installing the .der
file; it gives the same error.

Regards,
Aaron
=20

-----Original Message-----
From: owner-openssl-users@openssl.org
[mailtowner-openssl-users@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, December 27, 2006 11:24
To: openssl-users@openssl.org
Subject: Re: OpenSSL with Windows subordinates


The private key resides on the Windows machine and doesn't leave it
which is as it should be. A PKCS#12 file is only really used when the
private key and matching certificate are present.

You really need to just install the certificate and have Windows
associate the key with it.

How you do that depends on exactly what you did in Step #1. You may be
able to just install the newcert.pem file or you can convert it to DER
using:

openssl x509 -in newcert.pem -outform DER -out newcert.der

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org