Re: [Pki-users] exporting sub CA to pem format
On Fri, Feb 08, 2019 at 02:12:59PM +0100, joris dedieu wrote:
Hello Pki users,
I found how to issue a sub certificate with pki ca-authority-create
and export certificate with ca-authority-show, but I don't understand
how to export Sub CA key. I need it to sign some certificates with
puppet or openssl. Is there a way to do so ?
Best Regards
Joris
You really shouldn't export the sub-CA key. There are two
alternatives:
1. Use Dogtag to sign the required certificates using the
lightweight sub-CA. For example:
pki ca-cert-request-submit --csr-file PATH --issuer-id UUID
2. Generate a keypair and CSR for the Puppet/OpenSSL CA, and create
the certificate in Dogtag using a CA profile. Dogtag never sees the
sub-CA's private key.
Hope that helps,
Fraser