Hi,

 

I'm trying to create a certificate to install in my apache server or Internet Information Service, I follow the steps in this direction URL:  http://pki.fedoraproject.org/wiki/Apache_Cert_Enrollment

 

Some simple steps are listed here on how to proceed to enroll a server certificate for an apache webserver with Dogtag.

 

STEP ONE: Generate a Key/CSR:

 

openssl genrsa -des3 -out www.mydomain.com.key 1024

 

openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr

 

Fill out all the prompts here including CountryName,State,Locality,Organization Name, Organizational Unit Name, Common Name.

 

Sample CSR from the above commands:

 

-----BEGIN CERTIFICATE REQUEST-----

MIIBqDCCARECAQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx

FTATBgNVBAcTDE1vdW50YWluVmlldzEPMA0GA1UEChMGUmVkSGF0MQwwCgYDVQQL

EwNJRE0xDjAMBgNVBAMTBWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB

gQDMbwtFUZNzlfWRI19nuxKsbhJ1/5A/rrXQkH7+K1uqxmzytm6b57lkGK9YUC7B

qSKpJ4zzOnVqwRZsE9oJ5CSv+eQUie1NTz4KEL9ZOsN4p2zn0JFaKqze/vxZ3Rux

BKnAz34KxOKZxGTiychOTytWS6V4lDzKBvgTgf0EZfOcfwIDAQABoAAwDQYJKoZI

hvcNAQEEBQADgYEAxRGViyX5MxedhfSOja3XmvCcTOZL+btT7u4zztGBz71qSGhz

yLcFCHCOMngsfiHxySBUIjZdGAOjrwcwT04ig/C2TE8mTamDp7d8/zQ6k9De/9Dp

Q+C7PZuTYQkDf417IxbalEWhhNQ2AE6pMxfWwWAhjP1jAFLdKQZtEVNG9AQ=

-----END CERTIFICATE REQUEST-----

 

STEP TWO: Submit this CSR to the "Server Certificate Enrollment" profile of the Dogtag CA and get it approved.

 

STEP THREE: Download the Cert and the CA and get them installed in apache.

 

I have problems in step three, when I click on the option "Import Your Certificate" from the web console Dogtag Certificate Manager, I receive the following message:

 

"This certificate cannot staff be installed Because you do not own the Corresponding private key"

 

Searching in google I found this:

 

When I try to download my issued certificate, I get an “Accept in PKCS7” error message.

 

If you are getting the “Error in accept PKCS7″ message that means that the Microsoft OS/Internet Explorer cannot find the private key(s) for those certificates. (Please note that this does not necessarily mean that the private key(s) are not there, just that the MS system cannot find them.)

 

This happens because:

 

-          the request was done under a different log-in profile (you are logged on under a different username/password) than when the request was made

-          or the request was made with a different browser (for example, Firefox)

-          or the request was made on a different computer than the one you are trying to import it on

-          or something was done to the machine (like an update to the operating system – a Windows update, profile change, computer re-imaged, etc.)

 

You will only be able to import the issued certificate onto the same computer, same log-in profile, and using the same web browser as when you made the on-line request. (i.e. as when you got the “Print this form” web page).

 

Well now!, I have the certificate in Base 64 format, Dogtag console shows me the following information:

 

Installing this certificate in a server

 

The Following format can be used to install this certificate into a server.

 

Base 64 encoded certificate

 

 

In this picture I deleted some lines deliberately, but my certificate is complete.

 

Base 64 encoded certificate with CA certificate chain in pkcs7 format

 

 

In this picture I deleted some lines deliberately, but my certificate is complete.

 

Well now!, what I do with this information?, How I generated my certificate with this plane format? Since in my web browser from the console does not allow me to import the certificate.

 

How I can generate my certificate from the command line?

 

How I can generate my certificates in .cer, .crt, .pfx, .p12?

 

What format should I use?