Re: [Pki-users] exporting sub CA to pem format
On Fri, Feb 08, 2019 at 10:53:08AM -0800, Marc Sauton wrote:
I always use the pkispawn command to create instances, not "pki
ca-authority-create", so I have a doubt.
To clarify, ca-authority-create creates a lightweight sub-CA within
an existing Dogtag CA instance. For more info see
https://www.dogtagpki.org/wiki/Lightweight_sub-CAs.
But try to check for a related PKCS #12 file with extension .p12 in
~/ , or
use certutil in /etc/pki/*/alias/ , the default
being /etc/pki/pki-tomcat/alias/
If there is a p12 file, the key material is wrapped, if not, use pk12util
to create a p12 file from the NSS db directory.
The lightweight CA keys indeed live in /etc/pki/pki-tomcat/alias
NSSDB. No PKCS #12 file is created. You could export them
yourself, but you probably shouldn't (unless for backup). I suggest
alternatives in my other reply.
Cheers,
Fraser
If this using an HSM, do not export, or only use the vendor's
tools.
Thanks,
M.
On Fri, Feb 8, 2019 at 5:13 AM joris dedieu <joris.dedieu(a)gmail.com> wrote:
> Hello Pki users,
> I found how to issue a sub certificate with pki ca-authority-create
> and export certificate with ca-authority-show, but I don't understand
> how to export Sub CA key. I need it to sign some certificates with
> puppet or openssl. Is there a way to do so ?
>
> Best Regards
> Joris
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users