This is a discussion on Re: OpenSSL with Windows subordinates - Openssl ; On Wed, Dec 27, 2006, Aaron Barnes wrote: > With Windows certificate services, upon installation it will ask you to > select the type of CA the server is to become from 4 different options. > I've chosen an enterprise ...
On Wed, Dec 27, 2006, Aaron Barnes wrote:
> With Windows certificate services, upon installation it will ask you to
> select the type of CA the server is to become from 4 different options.
> I've chosen an enterprise online CA, however its parent is offline, so
> of course I cannot make an online certificate request. I saved the
> actual certificate request as a .der file (Windows defaults to .req I
> believe) and copied to the OpenSSL parent box.
> Perhaps my signing command was in error. I used "ca -config
> /pathtoconfigfile/openssl.cnf -out thecertificate.pem -in
> When installing the subordinate's certificate, it does not like .pem
> files...which doesn't really surprise me. The available options are
> .cer, .crt, .p12, .pfx and .p7b. I was using pkcs12 as it indicated
> there was an available export option for that command. When I tried to
> use the .pem file it would give me the error "The certificate is not a
> CA certificate".
> I also executed the command you suggested and tried installing the .der
> file; it gives the same error.
Yes the signing command is incorrect. By default the certificate is an end
entity certificate for OpenSSL not a CA certificate.
Try the command line switch: -extensions v3_ca
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
OpenSSL Project http://www.openssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com