[Pki-users] exporting sub CA to pem format
Fraser Tweedale
ftweedal at redhat.com
Mon Feb 11 00:41:55 UTC 2019
On Fri, Feb 08, 2019 at 02:12:59PM +0100, joris dedieu wrote:
> Hello Pki users,
> I found how to issue a sub certificate with pki ca-authority-create
> and export certificate with ca-authority-show, but I don't understand
> how to export Sub CA key. I need it to sign some certificates with
> puppet or openssl. Is there a way to do so ?
>
> Best Regards
> Joris
>
You really shouldn't export the sub-CA key. There are two
alternatives:
1. Use Dogtag to sign the required certificates using the
lightweight sub-CA. For example:
pki ca-cert-request-submit --csr-file PATH --issuer-id UUID
2. Generate a keypair and CSR for the Puppet/OpenSSL CA, and create
the certificate in Dogtag using a CA profile. Dogtag never sees the
sub-CA's private key.
Hope that helps,
Fraser
More information about the Pki-users
mailing list