[Pki-users] How to generate cert from command line...

Fri May 23 02:12:34 UTC 2014

Hi,

I'm trying to create a certificate to install in my apache server or
Internet Information Service, I follow the steps in this direction URL:
http://pki.fedoraproject.org/wiki/Apache_Cert_Enrollment

Some simple steps are listed here on how to proceed to enroll a server
certificate for an apache webserver with Dogtag.

STEP ONE: Generate a Key/CSR:

openssl genrsa -des3 -out www.mydomain.com.key 1024

openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr

Fill out all the prompts here including
CountryName,State,Locality,Organization Name, Organizational Unit Name,
Common Name.

Sample CSR from the above commands:

STEP TWO: Submit this CSR to the "Server Certificate Enrollment" profile of
the Dogtag CA and get it approved.

STEP THREE: Download the Cert and the CA and get them installed in apache.

I have problems in step three, when I click on the option "Import Your
Certificate" from the web console Dogtag Certificate Manager, I receive the
following message:

"This certificate cannot staff be installed Because you do not own the
Corresponding private key"

Searching in google I found this:

When I try to download my issued certificate, I get an “Accept in PKCS7”
error message.

If you are getting the “Error in accept PKCS7″ message that means that the
Microsoft OS/Internet Explorer cannot find the private key(s) for those
certificates. (Please note that this does not necessarily mean that the
private key(s) are not there, just that the MS system cannot find them.)

This happens because:

-          the request was done under a different log-in profile (you are
logged on under a different username/password) than when the request was
made

-          or the request was made with a different browser (for example,
Firefox)

-          or the request was made on a different computer than the one you
are trying to import it on

-          or something was done to the machine (like an update to the
operating system - a Windows update, profile change, computer re-imaged,
etc.)

You will only be able to import the issued certificate onto the same
computer, same log-in profile, and using the same web browser as when you
made the on-line request. (i.e. as when you got the “Print this form” web
page).

Well now!, I have the certificate in Base 64 format, Dogtag console shows me
the following information:

Installing this certificate in a server

The Following format can be used to install this certificate into a server.

Base 64 encoded certificate

In this picture I deleted some lines deliberately, but my certificate is
complete.

Base 64 encoded certificate with CA certificate chain in pkcs7 format

In this picture I deleted some lines deliberately, but my certificate is
complete.

Well now!, what I do with this information?, How I generated my certificate
with this plane format? Since in my web browser from the console does not
allow me to import the certificate.

How I can generate my certificate from the command line?

How I can generate my certificates in .cer, .crt, .pfx, .p12?

What format should I use?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140522/b8cf4164/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 78638 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140522/b8cf4164/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 53357 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140522/b8cf4164/attachment.jpg>