[Pki-users] Creating a sub-ca under an external CA?
Erwin Himawan
ehimawan at gmail.com
Wed Apr 7 03:04:09 UTC 2010
Hi Mike,
You mention that 2) The PKCS7 chain for step 2 is base 64 encoded, but NOT
armored.
What do you mean by "Not armored"?
Thanks,
Erwin
--------------------------------------------------
From: "Michael StJohns" <msj at nthpermutation.com>
Sent: Monday, April 05, 2010 8:31 PM
To: "Arshad Noor" <arshad.noor at strongauth.com>
Cc: <pki-users at redhat.com>
Subject: Re: [Pki-users] Creating a sub-ca under an external CA?
> OK - just for the record - I did figure out the problem. Here are the
> notes I have from this process.
>
> 1) AKI at the root doesn't matter
> 2) The PKCS7 chain for step 2 is base 64 encoded, but NOT armored. This
> needs to be documented - ideally in the box used to paste the chain.
> 3) The chain does not need to include the current (new cert), just the
> chain of certs for the issuing CA.
> 4) When the setup routine generates the subsidiary certificates -
> including the server cert - it appears to use the name in the certificate
> request as the issuer name for the subsidiary certificates, rather than
> the subject name of the cert issued by the superior CA. This was the
> thing that was causing me problems - my certificate signing tool was
> re-writing the requested name to add things like the country code and the
> subsidiary certs couldn't chain because of a name mismatch.
>
> I think (4) is actually a bug in Dogtag - but I need to do some code
> reading to confirm my analysis. AFAIK the name in a CSR is just the
> proposed name - the issuing CA has every right to change the name to meet
> its requirements.
>
> Thanks for the help...
>
> Mike
>
>
> On 4/4/2010 9:43 PM, Michael StJohns wrote:
>> On 4/4/2010 6:37 PM, Arshad Noor wrote:
>>> I believe your problem may be due to the fact that your self-signed
>>> Root CA certificate does not contain the AuthorityKeyIdentifier (AKI)
>>> extension - it only has the SubjectKeyIdentifier (SKI) extension.
>>>
>> I tried issuing a new root cert with the AKI (and then doing a rebuild of
>> the whole CA) - no luck. But thanks for the suggestion.
>>
>> But - I did find out why my chain wasn't being accepted. It turns out
>> that even though step 3 requires an armored Base64 value (e.g. -----BEGIN
>> CERTIFICATE----- -----END CERTIFICATE-----), step 2 only wants the
>> unarmored Base64 value of the PKCS7 chain object. It also doesn't appear
>> to care whether or not the chain contains the new CA certificate for this
>> instance. At least now the certs are ending up in the database even if
>> the chains still don't seem to work.
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list