On 4/4/2010 6:37 PM, Arshad Noor wrote:
I believe your problem may be due to the fact that your self-signed
Root CA certificate does not contain the AuthorityKeyIdentifier (AKI)
extension - it only has the SubjectKeyIdentifier (SKI) extension.
I tried issuing a new root cert with the AKI (and then doing a rebuild
of the whole CA) - no luck. But thanks for the suggestion.
But - I did find out why my chain wasn't being accepted. It turns out
that even though step 3 requires an armored Base64 value (e.g.
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----), step 2 only
wants the unarmored Base64 value of the PKCS7 chain object. It also
doesn't appear to care whether or not the chain contains the new CA
certificate for this instance. At least now the certs are ending up in
the database even if the chains still don't seem to work.
I'm going to - tomorrow - try and replicate exactly the extensions and
settings as generated for Root and CA that are wholly Dogtag in certs
that I genrate. It shouldn't be this difficult. Part of the issue is
that there isn't enough feedback or checking for this branch of the
When I do "certutil -V -u V -d . -n "Server-Cert <instance>" in the
<instance>/alias directory I still get a
certutil -V -u V -d . -n "Server-Cert cert-fake"
certutil: certificate is invalid: Peer's Certificate issuer is not