On Wed, Dec 27, 2006, Aaron Barnes wrote:

> With Windows certificate services, upon installation it will ask you to
> select the type of CA the server is to become from 4 different options.
> I've chosen an enterprise online CA, however its parent is offline, so
> of course I cannot make an online certificate request. I saved the
> actual certificate request as a .der file (Windows defaults to .req I
> believe) and copied to the OpenSSL parent box.
> Perhaps my signing command was in error. I used "ca -config
> /pathtoconfigfile/openssl.cnf -out thecertificate.pem -in
> windowsrequestfile.der".
> When installing the subordinate's certificate, it does not like .pem
> files...which doesn't really surprise me. The available options are
> .cer, .crt, .p12, .pfx and .p7b. I was using pkcs12 as it indicated
> there was an available export option for that command. When I tried to
> use the .pem file it would give me the error "The certificate is not a
> CA certificate".
> I also executed the command you suggested and tried installing the .der
> file; it gives the same error.

Yes the signing command is incorrect. By default the certificate is an end
entity certificate for OpenSSL not a CA certificate.

Try the command line switch: -extensions v3_ca

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org