[Pki-users] Creating a sub-ca under an external CA?
Arshad Noor
arshad.noor at strongauth.com
Sun Apr 4 21:58:06 UTC 2010
Post the existing Root CA certificate and the new DogTag SubCA
certificate (in Base64-encoded format) to the forum. Without
looking at the certificates, its hard to debug the issue.
Also, do you have the current Root CA's certificate stored as
a trusted CA within DogTag's cert-store, and within the
web-server with which you are trying to establish an SSL
connection?
Arshad Noor
StrongAuth, Inc.
Michael StJohns wrote:
> Hi -
>
> One of my customers has an existing root key pair and CA cert that
> exists outside of Dogtag. I want to create a CA immediately subordinate
> to that root CA and use Dogtag for it.
>
> After numerous attempts to adopt Dogtag to an external CA, I admit to
> defeat. I've tried this with and without a PKCS7 chain, I've tried
> various extensions and formats for the new CA cert, etc.
>
> The CA system comes up, looks good, but looking at the SSL hand shake
> with "openssl s_client" shows that the server isn't providing the entire
> chain, only the certificate for the server itself.
>
> Taking all of the certs in the chain from root through server and
> running them through the Java cert path checking routines seems to
> indicate the certs are fine.
>
>
> If I build a system from scratch - with a new root cert and key pair in
> one CA and then build a subordinate CA under that in the same domain it
> works perfectly.
>
> Has anyone else tried this? If so, can you give me a step-by-step please?
>
> Help!
>
> Mike
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list