Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
0
Helpful
1
Replies

WSA Sub-CA creation issues

tahscolony
Level 1
Level 1

‎04-08-2016 01:42 PM

I am hitting a wall on this. I found several examples of how to create the CSR, and that is where I am hitting the wall, creating the CSR.   The problem is I created one already for a root certificate, which is installed in one of the Ironports now, and it works fine, problem is, it needed to be a Subordinate to root, and now I need to recreate the process.  When I try to generate the CSR with this;

certreq.exe -new c:\users\desktop\certs\wsa\openssl.cnf c:\users\desktop\certs\wsa\Ironport-cacert.req

I get this;
Certificate Request Processor: Object already exists. 0x8009000f (-2146893809)

I tried other methods where I generate the key, and then try to generate the CSR with this;

openssl req -new -out c:\users\desktop\certs\wsa\Ironport-Sub-Ca.csr -key c:\users\desktop\certs\wsa\Ironport-Sub-Ca.key -config openssl.cnf

I then get this;

Loading 'screen' into random state - done
unable to find 'distinguished_name' in config
problems making Certificate Request
7036:error:0E06D06C:configuration file routines:NCONF_get_string:no value:./crypto/conf/conf_lib.c:329:group=req name=distinguished_name

The cnf file looks like this, and is the same one used to generate the original csr when I did the root.

Signature="$Windows NT$"

[Strings]
CACN = "Issuing CA"
 
[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"
 
[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19

I am doing this on a windows 7 machine if that helps any.  This was done years ago for each server, but one of them had to be replaced which is the one I am working on now. However, after talking to TAC I learned both machines need to have identical SubCa's installed since they are HA paired and both are decrypting. I will need to create one single cert and key and load it into both boxes for them to work correctly.  The problem is, the original openssl.cnf file is long gone.

Labels:
0 Helpful
1 Reply 1

Andre Neethling
Level 4
Level 4

‎04-11-2016 03:34 AM

Hi. How long is your other cert still valid for?

You may just want to re-issue if you can. You can download the certificate from GUI, but this won't give you the private key. I would try to export the certificate+private key from the 1 device, then upload it to the other 1. I don't know if that's possible, or how to do it. If that fails try to re-issue a new Cert.

0 Helpful
Customers Also Viewed These Support Documents