[Pki-users] How to generate cert from command line...

Fri May 23 02:23:54 UTC 2014

On 05/22/2014 10:12 PM, Ricardo Alexander Perez Ricardez wrote:
>
> Hi,
>
> I'm trying to create a certificate to install in my apache server or
> Internet Information Service, I follow the steps in this direction
> URL: http://pki.fedoraproject.org/wiki/Apache_Cert_Enrollment
>
> Some simple steps are listed here on how to proceed to enroll a server
> certificate for an apache webserver with Dogtag.
>
> *STEP ONE:*Generate a Key/CSR:
>
> openssl genrsa -des3 -out www.mydomain.com.key 1024
>
> openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
>
> Fill out all the prompts here including
> CountryName,State,Locality,Organization Name, Organizational Unit
> Name, Common Name.
>
> Sample CSR from the above commands:
>
> -----BEGIN CERTIFICATE REQUEST-----
>
> MIIBqDCCARECAQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
>
> FTATBgNVBAcTDE1vdW50YWluVmlldzEPMA0GA1UEChMGUmVkSGF0MQwwCgYDVQQL
>
> EwNJRE0xDjAMBgNVBAMTBWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
>
> gQDMbwtFUZNzlfWRI19nuxKsbhJ1/5A/rrXQkH7+K1uqxmzytm6b57lkGK9YUC7B
>
> qSKpJ4zzOnVqwRZsE9oJ5CSv+eQUie1NTz4KEL9ZOsN4p2zn0JFaKqze/vxZ3Rux
>
> BKnAz34KxOKZxGTiychOTytWS6V4lDzKBvgTgf0EZfOcfwIDAQABoAAwDQYJKoZI
>
> hvcNAQEEBQADgYEAxRGViyX5MxedhfSOja3XmvCcTOZL+btT7u4zztGBz71qSGhz
>
> yLcFCHCOMngsfiHxySBUIjZdGAOjrwcwT04ig/C2TE8mTamDp7d8/zQ6k9De/9Dp
>
> Q+C7PZuTYQkDf417IxbalEWhhNQ2AE6pMxfWwWAhjP1jAFLdKQZtEVNG9AQ=
>
> -----END CERTIFICATE REQUEST-----
>
> *STEP TWO:*Submit this CSR to the "Server Certificate Enrollment"
> profile of the Dogtag CA and get it approved.
>
> *STEP THREE:*Download the Cert and the CA and get them installed in
> apache.
>
> I have problems in *step three*, when I click on the option "Import
> Your Certificate" from the web console Dogtag Certificate Manager, I
> receive the following message:
>
> "This certificate cannot staff be installed Because you do not own the
> Corresponding private key"
>
> Searching in google I found this:
>
> When I try to download my issued certificate, I get an “Accept in
> PKCS7” error message.
>
> If you are getting the “Error in accept PKCS7″ message that means that
> the Microsoft OS/Internet Explorer cannot find the private key(s) for
> those certificates. (Please note that this does not necessarily mean
> that the private key(s) are not there, just that the MS system cannot
> find them.)
>
> This happens because:
>
> -the request was done under a different log-in profile (you are logged
> on under a different username/password) than when the request was made
>
> -or the request was made with a different browser (for example, Firefox)
>
> -or the request was made on a different computer than the one you are
> trying to import it on
>
> -or something was done to the machine (like an update to the operating
> system -- a Windows update, profile change, computer re-imaged, etc.)
>
> You will only be able to import the issued certificate onto the same
> computer, same log-in profile, and using the same web browser as when
> you made the on-line request. (i.e. as when you got the “Print this
> form” web page).
>
> Well now!, I have the certificate in Base 64 format, Dogtag console
> shows me the following information:
>
> Installing this certificate in a server
>
> The Following format can be used to install this certificate into a
> server.
>
> Base 64 encoded certificate
>
> In this picture I deleted some lines deliberately, but my certificate
> is complete.
>
> Base 64 encoded certificate with CA certificate chain in pkcs7 format
>
> In this picture I deleted some lines deliberately, but my certificate
> is complete.
>
> Well now!, what I do with this information?, How I generated my
> certificate with this plane format? Since in my web browser from the
> console does not allow me to import the certificate.
>
> How I can generate my certificate from the command line?
>
> How I can generate my certificates in .cer, .crt, .pfx, .p12?
>
> What format should I use?
>
Use Certmonger and make things easy on yourself:


https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt

http://rpm.pbone.net/index.php3/stat/45/idpl/25503325/numer/8/nazwa/certmonger-dogtag-ipa-renew-agent-submit


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140522/a4735d88/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 53357 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140522/a4735d88/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 78638 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20140522/a4735d88/attachment.png>