Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
Logout_902016-03-09 13:43:42
linux
Logout_90, 2016-03-09 13:43:42

How to set up a Windows AD subordinate CA if root CA on Linux openssl (easyrsa)?

Gentlemen, good day!
I came up with the idea to configure the issuance of certificates for users and devices on the network. Since AD ​​is being used, the decision was made to raise Windows Certificate Services.
In order to save money, I want the certificate of the root certificate server to be generated by openssl (I use easyrsa).
So, in the vars file from the easyrsa kit, I changed the following:

set_var EASYRSA_DN      "org"
set_var EASYRSA_DIGEST          "sha512"

Accordingly, the algorithm remains rsa, sha512 and the "traditional" CN format are used.
I do pki-init, followed by build-ca, I import the public certificate into Windows trusted root certificate authorities.
Then I install the role of certificate services, I make a request to issue a certificate. I copy the request to the server with easyrsa and issue a certificate to the Windows subordinate certificate server.
However, when I try to import the certificate through the CA utility, I get the following message: "This certificate is not a CA certificate".
bb57b3d336f64c6e8d9d97105e1b2881.png
The CA doesn't seem to like the format of the certificate. Hence the question: How can I issue a certificate using openssl, preferably in the easyrsa binding, so that the certification authority is satisfied?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
C
CityCat4, 2016-03-09
@Logout_90

I won’t say anything about easyrsa, but the CA certificate must have a special sign that it is a CA certificate. The desire to create a CA, then release a sub-CA and issue certificates in Windows on its behalf, in principle, takes place. When there is Windows and non-Windows on the network, there are, for example, Mikrotiks, d-link, and some other devices ... Again, it is easier for users to generate certificates on openssl. But this is if you understand what to do - no easyrsa will be needed there.
If you just need a certificate service for Windows, then don't pull yourself out of the swamp by your hair - start the service and let it generate the CA root certificate by itself. True, you should immediately take into account that without an additional PKCS # 12 template, there is no way for the user to collapse - you can only getcertificate filled with data based on AD and only on one computer.
To issue a CA certificate using openssl, openssl.cnf must contain the
[ v3_ca ]
basicConstraints = CA:true
section, and when a certificate is issued with this section as an extension, it becomes a CA certificate.

Similar questions
N
Nikita Reshetnyak2019-10-07 07:26:25
Why can't you hear the interlocutor in the absence of a tunnel between offices? 2Reply
C
CityCat42016-05-05 18:55:10
Missing Caps Lock and character repetition in x11vnc? 1Reply
A
Anton Dyshkant2014-03-07 11:32:23
How to organize access to virtual hosts from the local network and from the outside without using the hosts file? 3Reply
J
Julia Lis2021-12-09 12:30:23
How to see the list of blocked IPs in Debian crowdsec? 1Reply
M
masterdrew2016-05-06 15:21:32
Will the command rm -rf / remove the contents of external hard drives? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question