[OpenXPKI-users] How to configure openXPKI as issuing CA?

Discussion:

Gabriel Sailer

2016-12-10 11:51:49 UTC

Hello,
i want to setup openXPKI as issuing CA of a Windows CA.
I can sign the neccessary issuing certificate by the root CA.
But how do i configure openXPKI to act as an issuing CA?

I think i have to replace the selfsigned root certificate and private key by the issuing certificate.
How do i install the new root certificate at the openXPKI?

The other three installed certificates (ra, signing, ..) must be also replaced, i think.

I need openXPKI for installing 802.1X certificates to various client systems (Linux, MacOS, ..) via the SCEP protocoll.
Microsoft NDES i no option because of installing restrictions (domain requirements).

Many thanks for any information

Gabs

Oliver Welter

2016-12-10 13:24:09 UTC

Permalink

Hi Gabs,

sorry I dont get what your problem is.

You always have a self-signed certificate at the end of your chain and
if you follow the quickstart guide you will end up with a "offline root
ca" and an issuer certificate below which signs the request.

OpenXPKI can handle any depth of hierarchy levels, but you have to feed
the full certificate chain into the system (only the certificates, not
the keys!) to allow it to verify all levels up to the root.

Oliver

Post by Gabriel Sailer
Hello,
i want to setup openXPKI as issuing CA of a Windows CA.
I can sign the neccessary issuing certificate by the root CA.
But how do i configure openXPKI to act as an issuing CA?
I think i have to replace the selfsigned root certificate and private key by the issuing certificate.
How do i install the new root certificate at the openXPKI?
The other three installed certificates (ra, signing, ..) must be also replaced, i think.
I need openXPKI for installing 802.1X certificates to various client systems (Linux, MacOS, ..) via the SCEP protocoll.
Microsoft NDES i no option because of installing restrictions (domain requirements).
Many thanks for any information
Gabs
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
OpenXPKI-users mailing list
https://lists.sourceforge.net/lists/listinfo/openxpki-users

--
Protect your environment - close windows and adopt a penguin!

Gabriel Sailer

2016-12-14 20:07:47 UTC

Permalink

Hello Oliver,
that is what i have done.
I copied the ca_one directory at config.d/realm to a new one issuing_ad_01.
Then i create at the ssl directory also a sub directory issuing_ad_01 and copied the root certificate the (signed) issuing certificate and the private key in this directory.

After the import of the root CA certificate (openxpkiadm certificate import --file root_ad_01) and the issuing certificate (openxpkiadm certificate import --file issuing_ad_01) i have no realm for this certificate.

How did the certificate match to the created realm directory at config.d/realm/issuing_ad_01?

I looked at the script diliverd with the debian package, but i can not see an command which do the binding for that.

Many thanks

Gabs

A***@o-s.de

2016-12-16 10:29:50 UTC

Permalink

Hello,

you need to add "--realm 'name of realm' --token certsign" for the signer cert.

So I your case " openxpkiadm certificate import --file issuing_ad_01 --realm 'name of realm' --token certsign ".

Replace 'name of realm' with the name of your realm ;)

Mit freundlichen Grüßen / Best regards

Andreas Krieger

-----Ursprüngliche Nachricht-----
Von: Gabriel Sailer [mailto:***@gmx.net]
Gesendet: Mittwoch, 14. Dezember 2016 21:08
An: openxpki-***@lists.sourceforge.net
Betreff: Re: [OpenXPKI-users] How to configure openXPKI as issuing CA?

Hello Oliver,
that is what i have done.
I copied the ca_one directory at config.d/realm to a new one issuing_ad_01.
Then i create at the ssl directory also a sub directory issuing_ad_01 and copied the root certificate the (signed) issuing certificate and the private key in this directory.

After the import of the root CA certificate (openxpkiadm certificate import --file root_ad_01) and the issuing certificate (openxpkiadm certificate import --file issuing_ad_01) i have no realm for this certificate.

How did the certificate match to the created realm directory at config.d/realm/issuing_ad_01?

I looked at the script diliverd with the debian package, but i can not see an command which do the binding for that.

Many thanks

Gabs

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________
OpenXPKI-users mailing list
OpenXPKI-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users