I try to add a subCA via CLI.
I know how to add a Root CA but it seems that for a sub we're supposed to add "--signedby" in the request.
Here my command :
--signedby <CA_ID>
The ID of a CA that will sign this CA. If this is omitted the new CA will be self signed (i.e. a root CA).To create a CA signed by an external CA, use the keyword 'External' as <CA_ID>, this will result in a certificate request (CSR) being saved on file, to be signed by the external CA. Requires parameter '-externalcachain <externalCA chain PEM file' with the full certificate chain of the external CA.
You should in other word be using the CA ID, not it's name. You can see the ID with the listcas command.
Cheers,
Mike Kushner
Developer, Primekey Solutions
Hey,
I try to add a subCA via CLI.
I know how to add a Root CA but it seems that for a sub we're supposed to add "--signedby" in the request.
Here my command :
bin/ejbca.sh ca init Clients "C=FR,O=Doc,CN=Clients" soft null 2048 RSA 365 --policy 2.5.29.32.0 -s SHA256WithRSA --signedby Root.
But it seems he doesn't know Root (which is an active CA of mine).
Thanks for helping
Hi,
The --help for ca init says:
--signedby <CA_ID>
The ID of a CA that will sign this CA. If this is omitted the new CA will be self signed (i.e. a root CA).To create a CA signed by an external CA, use the keyword 'External' as <CA_ID>, this will result in a certificate request (CSR) being saved on file, to be signed by the external CA. Requires parameter '-externalcachain <externalCA chain PEM file' with the full certificate chain of the external CA.
You should in other word be using the CA ID, not it's name. You can see the ID with the listcas command.
Cheers,
Mike Kushner
Developer, Primekey Solutions
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se or
contact sales@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Thank you Mike,
It perfectly works !
Can you now tell me how I am supposed to delete a CA ?
Hi Isgor,
You'll have to do that from the GUI, no CLI commands exist for CA deletion.
Cheers,
Mike Kushner
Developer, Primekey Solutions
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se or
contact sales@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Thank you again for this piece of information.
One last question, can you tell me how can I generate my end user certificates ? (by CLI if it's possible)
Protip: If it's not in the CLI docs, then it's probably not in the CLI.
The end user certificate is generated, in the general case, when end user enrolls on the public web.
Cheers,
Mike Kushner
Developer, Primekey Solutions
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se or
contact sales@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
I created a EE using "bin/ejbca.sh ra addendentity ..."
But when I click on "View Certificates" I get :
Certificate specified doesn’t exist in database, it may not have been generated.
Last edit: Isgor Darek 2014-07-08
You've added the end entity, but this entity needs to enroll for its certificate to be generated. I suggest you study the docs before continuing.
Cheers,
Mike Kushner
Developer, Primekey Solutions
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se or
contact sales@primekey.se for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Ok ! I got it !
Thx for your time Mike