4

I do have private key(my_ca.key) and public key(my_cert.crt) which is signed by DigiCert. Now I want to create RA(Registration Authority) and sign it by my private key . Here is the way I tried to do that. But when I try to export private and public key as pkcs12 file I have been getting error like this unable to get local issuer certificate getting chain. No idea how to solve this. Here my_cert.crt is extended from DigiCert High Assurance CA-3 and that one extended from DigiCert High Assurance EV Root CA

 SSL_SUBJ="/C=LK/ST=Colombo/L=Colombo/O=Nope/OU=mobile/CN=My root"

 openssl genrsa -out ra.key 4096
 openssl req -new -key ra.key -out ra.csr -subj "$SSL_SUBJ"
 openssl x509 -req -days 365 -in ra.csr -CA my_cert.pem -CAkey my_ca.pem -  set_serial 76964474 -out ra.crt 
 openssl rsa -in ra.key -text > ra_private.pem
 openssl x509 -in ra.crt -out ra_cert.pem


 openssl pkcs12 -export -out ca.p12 -inkey my_ca.pem -in my_cert.pem -name "cacert" -passout pass:password
 openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem -  chain -CAfile my_cert.pem -name "racert" -passout pass:password
jww
  • 97,681
  • 90
  • 411
  • 885
GPrathap
  • 7,336
  • 7
  • 65
  • 83

1 Answers1

9

You usually can't use a certificate issued by a public CA to sign anything but client or server traffic; you won't be able to use it for your RA.

The error message indicates that there is a problem with the intermediate certificates. Make sure that you add both of Digicert's certificates to the my_cert.pem file before exporting it to pkcs12

Kevin Keane
  • 1,506
  • 12
  • 24
  • You mean cat DigiCert.crt my_cert.crt > my_cert.crt and than without -chain keyword It works But without -chain flag is that correct ? – GPrathap Mar 05 '15 at 06:10
  • 1
    Well, if you try this particular cat command, you'll destroy your my_cert.crt file. I'd do: cat DigiCert.crt my_cert.crt > my_cert_to_export.crt. Correct about the -chain flag. You only have that with your ra certificate anyway; see my answer for some additional concerns about that. – Kevin Keane Mar 05 '15 at 06:14
  • Ok thank you. Actually I have been developing SCEP(http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol) protocol for mac os x. So in that case I have to provide CA and RA ,So If I create self-signed CA and than RA would that be the correct way to solve this ? – GPrathap Mar 05 '15 at 06:24
  • 1
    Yes. A CA certificate must be flagged as such (see http://tools.ietf.org/html/rfc5280#section-4.2.1.9 ) and if you set it in your CSR, a commercial CA is always going to delete that flag before signing your CSR. A self-signed CA certificate is standard; it's called a root certificate. Of course you will need to add it to the trust stores of whatever client will be accessing sites protected by it (i.e., you have to add it to the Web browser if you are using the certs signed by your CA for Web sites). – Kevin Keane Mar 05 '15 at 07:25