cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
818
Views
0
Helpful
1
Replies

WSA Sub-CA creation issues

tahscolony
Level 1
Level 1

I am hitting a wall on this. I found several examples of how to create the CSR, and that is where I am hitting the wall, creating the CSR.   The problem is I created one already for a root certificate, which is installed in one of the Ironports now, and it works fine, problem is, it needed to be a Subordinate to root, and now I need to recreate the process.  When I try to generate the CSR with this;

certreq.exe -new c:\users\desktop\certs\wsa\openssl.cnf c:\users\desktop\certs\wsa\Ironport-cacert.req

I get this;
Certificate Request Processor: Object already exists. 0x8009000f (-2146893809)

I tried other methods where I generate the key, and then try to generate the CSR with this;

openssl req -new -out c:\users\desktop\certs\wsa\Ironport-Sub-Ca.csr -key c:\users\desktop\certs\wsa\Ironport-Sub-Ca.key -config openssl.cnf

I then get this;

Loading 'screen' into random state - done
unable to find 'distinguished_name' in config
problems making Certificate Request
7036:error:0E06D06C:configuration file routines:NCONF_get_string:no value:./crypto/conf/conf_lib.c:329:group=req name=distinguished_name

The cnf file looks like this, and is the same one used to generate the original csr when I did the root.

Signature="$Windows NT$"

[Strings]
CACN = "Issuing CA"
 
[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"
 
[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19

I am doing this on a windows 7 machine if that helps any.  This was done years ago for each server, but one of them had to be replaced which is the one I am working on now. However, after talking to TAC I learned both machines need to have identical SubCa's installed since they are HA paired and both are decrypting. I will need to create one single cert and key and load it into both boxes for them to work correctly.  The problem is, the original openssl.cnf file is long gone.

1 Reply 1

Andre Neethling
Level 4
Level 4

Hi. How long is your other cert still valid for?

You may just want to re-issue if you can. You can download the certificate from GUI, but this won't give you the private key. I would try to export the certificate+private key from the 1 device, then upload it to the other 1. I don't know if that's possible, or how to do it. If that fails try to re-issue a new Cert.