Post the existing Root CA certificate and the new DogTag SubCA
certificate (in Base64-encoded format) to the forum. Without
looking at the certificates, its hard to debug the issue.
Also, do you have the current Root CA's certificate stored as
a trusted CA within DogTag's cert-store, and within the
web-server with which you are trying to establish an SSL
Michael StJohns wrote:
One of my customers has an existing root key pair and CA cert that
exists outside of Dogtag. I want to create a CA immediately subordinate
to that root CA and use Dogtag for it.
After numerous attempts to adopt Dogtag to an external CA, I admit to
defeat. I've tried this with and without a PKCS7 chain, I've tried
various extensions and formats for the new CA cert, etc.
The CA system comes up, looks good, but looking at the SSL hand shake
with "openssl s_client" shows that the server isn't providing the entire
chain, only the certificate for the server itself.
Taking all of the certs in the chain from root through server and
running them through the Java cert path checking routines seems to
indicate the certs are fine.
If I build a system from scratch - with a new root cert and key pair in
one CA and then build a subordinate CA under that in the same domain it
Has anyone else tried this? If so, can you give me a step-by-step please?
Pki-users mailing list