dogtagpki

Clone
Source Code
GIT

#2953 pki-server ca-cert-chain-export does not appear to export the entire chain for a sub-CA
Closed: migrated 4 years ago by dmoluguw. Opened 7 years ago by tvaughan.

Closed: migrated
Reopen Issue

I have set up a root and sub CA and am attempting to export the entire certificate chain for the sub CA using the following command:

pki-server ca-cert-chain-export -i sub-ca --pkcs12-file sub-ca-chain.p12 --pkcs12-password-file sub-ca.pwd

When run, this is only exporting the root CA certificate and does not output both the sub CA and the root CA certificate which is what I was expecting.

Package Version: pki-server-10.4.1-17.el7_4.noarch

Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

Hi, I think the pki-server ca-cert-chain-export command was originally intended to export the cert chain of the system certs, excluding the leaf cert itself. So if you have a sub CA cert, the cert chain is just the root CA cert.

It might not be a very useful command, so we might deprecate it in the future. There is a better command to export the CA signing cert with the complete chain:

$ pki-server cert-export ca_signing ...

or if that is not available in PKI 10.4, try this:

$ pki-server subsystem-cert-export ca signing ...

If that works, feel free to close this ticket, or keep it open to deprecate the pki-server ca-cert-chain-export. Thanks!

@edewata The second command subsystem-cert-export worked for my purposes.

I would suggest updating the documentation to reflect the proper method for doing this and definitely deprecating, or changing, the ca-cert-chain-export command.

Thanks for the help, this can be closed.

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3071

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)
4 years ago

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.