With Windows certificate services, upon installation it will ask you to select the type of CA the server is to become from 4 different options. I've chosen an enterprise online CA, however its parent is offline, so of course I cannot make an online certificate request. I saved the actual certificate request as a .der file (Windows defaults to .req I believe) and copied to the OpenSSL parent box.
Perhaps my signing command was in error. I used "ca -config /pathtoconfigfile/openssl.cnf -out thecertificate.pem -in windowsrequestfile.der". When installing the subordinate's certificate, it does not like .pem files...which doesn't really surprise me. The available options are .cer, .crt, .p12, .pfx and .p7b. I was using pkcs12 as it indicated there was an available export option for that command. When I tried to use the .pem file it would give me the error "The certificate is not a CA certificate". I also executed the command you suggested and tried installing the .der file; it gives the same error. Regards, Aaron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Wednesday, December 27, 2006 11:24 To: openssl-users@openssl.org Subject: Re: OpenSSL with Windows subordinates The private key resides on the Windows machine and doesn't leave it which is as it should be. A PKCS#12 file is only really used when the private key and matching certificate are present. You really need to just install the certificate and have Windows associate the key with it. How you do that depends on exactly what you did in Step #1. You may be able to just install the newcert.pem file or you can convert it to DER using: openssl x509 -in newcert.pem -outform DER -out newcert.der Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]