Can't sign certs, wth?

Help
maximus_m3
2008-10-07
2013-12-17
  • maximus_m3
    maximus_m3
    2008-10-07

    Ok, so I setup a private key, did a CSR, then self signed it so I basically have a CA.

    I next created a new csr and then attempt to sign it.  However, no matter what I do, the option to sign with my CA cert is not available.  The radio button is stuck on Self Sign with a serial number and the other option is grayed out.

    Anybody have any ideas of what might cause this?

     
    • You may safely skip the intermediate step of the CSR and directly click on "New certificate"
      Use the "[default] CA" template for sane defaults for CA certificates.

      I guess the  extension "basic constraints CA:TRUE" is missing in your CA certificate.

      Try the documentation: http://xca.sourceforge.net/xca-9.html#ss9.1

       
  • Ben Raubenolt
    Ben Raubenolt
    2013-12-16

    I am having the same problem. It seems to work fine with a CA created in XCA. But if I import one using PKCS#12, it seems to lose its connection to the private key. Then I can't use that CA to sign anything. I haven't found a way to reattach the private key that shows up on the private key tab.

     
  • Are you sure that the certificate and key do match (have the same modulus) ?
    It is possible to create a PKCS#12 file with some key and a completely unrelated certificate.
    Has the PKCS#12 file been created by XCA or another software ?

    What does the "Certificate Details" say about the key ? "not available" ?
    or does XCA show the name of the key ?