On Wed, Apr 07, 2004, Steve OBrien wrote: > >What commands have you used on OpenSSL to sign the request? You need the > CA certificate extensions for obvious reasons. > I used openssl ca -sign and CA.pl -sign. > I thought that 0.9.7 would accept the unknown x509 extensions? (as you can > probably tell I am no openssl expert, sorry just trying to figure it out) > Do you have any references for what extensions I need and how to add them? >
A sensible set will be added if you use CA.pl -signCA It is possible the certificate request might suggest some extensions too. See if: openssl req -in req.pem -text -noout (where 'req.pem' is the request from MS CA). > >Also how are you trying to import the result back into Microsoft CA? > Well the interesting thing is that I can do a certificate import and see > that in my personal store and import the CA as trusted root but as per M$ > the final step in creating a subordinate CA is to right click the CA in > the Certificate Authority MMC and "install CA certificate." I have tried > the root ca in pks12 format and the signed csr that was generated by this > machine and signed by openssl ca. When I attempt the signed csr cert it > says "The new certificate public key does not match the current > outstanding request. Bad Key (HEX######)" > If you've created the CSR with MS CA then you should just need the certificate and not the private key (which MS CA has stored internally anyway). Try importing the 'newcert.pem' file into MS CA. Failing that convert to DER with: openssl x509 -in newcert.pem -outform DER -out newcert.der and try importing newcert.der with MS CA. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
