[Pki-users] exporting sub CA to pem format
Fraser Tweedale
ftweedal at redhat.com
Mon Feb 11 00:45:50 UTC 2019
On Fri, Feb 08, 2019 at 10:53:08AM -0800, Marc Sauton wrote:
> I always use the pkispawn command to create instances, not "pki
> ca-authority-create", so I have a doubt.
>
To clarify, ca-authority-create creates a lightweight sub-CA within
an existing Dogtag CA instance. For more info see
https://www.dogtagpki.org/wiki/Lightweight_sub-CAs.
> But try to check for a related PKCS #12 file with extension .p12 in ~/ , or
> use certutil in /etc/pki/*/alias/ , the default
> being /etc/pki/pki-tomcat/alias/
>
> If there is a p12 file, the key material is wrapped, if not, use pk12util
> to create a p12 file from the NSS db directory.
>
The lightweight CA keys indeed live in /etc/pki/pki-tomcat/alias
NSSDB. No PKCS #12 file is created. You could export them
yourself, but you probably shouldn't (unless for backup). I suggest
alternatives in my other reply.
Cheers,
Fraser
> If this using an HSM, do not export, or only use the vendor's tools.
> Thanks,
> M.
>
> On Fri, Feb 8, 2019 at 5:13 AM joris dedieu <joris.dedieu at gmail.com> wrote:
>
> > Hello Pki users,
> > I found how to issue a sub certificate with pki ca-authority-create
> > and export certificate with ca-authority-show, but I don't understand
> > how to export Sub CA key. I need it to sign some certificates with
> > puppet or openssl. Is there a way to do so ?
> >
> > Best Regards
> > Joris
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
> >
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list