Add SubCa via CLI

Help
2014-07-07
2014-07-08
  • Isgor Darek
    Isgor Darek
    2014-07-07

    Hey,

    I try to add a subCA via CLI.
    I know how to add a Root CA but it seems that for a sub we're supposed to add "--signedby" in the request.
    Here my command :

    bin/ejbca.sh ca init Clients "C=FR,O=Doc,CN=Clients" soft null 2048 RSA 365 --policy 2.5.29.32.0 -s SHA256WithRSA --signedby Root.

    But it seems he doesn't know Root (which is an active CA of mine).

    Thanks for helping

     
  • Mike Kushner
    Mike Kushner
    2014-07-07

    Hi,

    The --help for ca init says:

    --signedby <CA_ID>
    The ID of a CA that will sign this CA. If this is omitted the new CA will be self signed (i.e. a root CA).To create a CA signed by an external CA, use the keyword 'External' as <CA_ID>, this will result in a certificate request (CSR) being saved on file, to be signed by the external CA. Requires parameter '-externalcachain <externalCA chain PEM file' with the full certificate chain of the external CA.

    You should in other word be using the CA ID, not it's name. You can see the ID with the listcas command.

    Cheers,
    Mike Kushner
    Developer, Primekey Solutions


    PrimeKey Solutions offers commercial EJBCA and SignServer support
    subscriptions and training courses. Please see www.primekey.se or
    contact sales@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/


     
  • Isgor Darek
    Isgor Darek
    2014-07-08

    Thank you Mike,

    It perfectly works !

    Can you now tell me how I am supposed to delete a CA ?

     
  • Mike Kushner
    Mike Kushner
    2014-07-08

    Hi Isgor,

    You'll have to do that from the GUI, no CLI commands exist for CA deletion.

    Cheers,
    Mike Kushner
    Developer, Primekey Solutions
    PrimeKey Solutions offers commercial EJBCA and SignServer support
    subscriptions and training courses. Please see www.primekey.se or
    contact sales@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
  • Isgor Darek
    Isgor Darek
    2014-07-08

    Thank you again for this piece of information.

    One last question, can you tell me how can I generate my end user certificates ? (by CLI if it's possible)

     
  • Mike Kushner
    Mike Kushner
    2014-07-08

    Protip: If it's not in the CLI docs, then it's probably not in the CLI.

    The end user certificate is generated, in the general case, when end user enrolls on the public web.

    Cheers,
    Mike Kushner
    Developer, Primekey Solutions
    PrimeKey Solutions offers commercial EJBCA and SignServer support
    subscriptions and training courses. Please see www.primekey.se or
    contact sales@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
  • Isgor Darek
    Isgor Darek
    2014-07-08

    I created a EE using "bin/ejbca.sh ra addendentity ..."
    But when I click on "View Certificates" I get :

    Certificate specified doesn’t exist in database, it may not have been generated.

     
    Last edit: Isgor Darek 2014-07-08
  • Mike Kushner
    Mike Kushner
    2014-07-08

    You've added the end entity, but this entity needs to enroll for its certificate to be generated. I suggest you study the docs before continuing.

    Cheers,
    Mike Kushner
    Developer, Primekey Solutions
    PrimeKey Solutions offers commercial EJBCA and SignServer support
    subscriptions and training courses. Please see www.primekey.se or
    contact sales@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
  • Isgor Darek
    Isgor Darek
    2014-07-08

    Ok ! I got it !
    Thx for your time Mike