Can't sign certs, wth?

  • maximus_m3

    maximus_m3 - 2008-10-07

    Ok, so I setup a private key, did a CSR, then self signed it so I basically have a CA.

    I next created a new csr and then attempt to sign it.  However, no matter what I do, the option to sign with my CA cert is not available.  The radio button is stuck on Self Sign with a serial number and the other option is grayed out.

    Anybody have any ideas of what might cause this?

    • Christian Hohnstaedt

      You may safely skip the intermediate step of the CSR and directly click on "New certificate"
      Use the "[default] CA" template for sane defaults for CA certificates.

      I guess the  extension "basic constraints CA:TRUE" is missing in your CA certificate.

      Try the documentation:

  • Ben Raubenolt

    Ben Raubenolt - 2013-12-16

    I am having the same problem. It seems to work fine with a CA created in XCA. But if I import one using PKCS#12, it seems to lose its connection to the private key. Then I can't use that CA to sign anything. I haven't found a way to reattach the private key that shows up on the private key tab.

  • Christian Hohnstaedt

    Are you sure that the certificate and key do match (have the same modulus) ?
    It is possible to create a PKCS#12 file with some key and a completely unrelated certificate.
    Has the PKCS#12 file been created by XCA or another software ?

    What does the "Certificate Details" say about the key ? "not available" ?
    or does XCA show the name of the key ?


Log in to post a comment.