Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
Logout_902016-03-09 13:43:42
linux
Logout_90, 2016-03-09 13:43:42

How to set up a Windows AD subordinate CA if root CA on Linux openssl (easyrsa)?

Gentlemen, good day!
I came up with the idea to configure the issuance of certificates for users and devices on the network. Since AD ​​is being used, the decision was made to raise Windows Certificate Services.
In order to save money, I want the certificate of the root certificate server to be generated by openssl (I use easyrsa).
So, in the vars file from the easyrsa kit, I changed the following:

set_var EASYRSA_DN      "org"
set_var EASYRSA_DIGEST          "sha512"

Accordingly, the algorithm remains rsa, sha512 and the "traditional" CN format are used.
I do pki-init, followed by build-ca, I import the public certificate into Windows trusted root certificate authorities.
Then I install the role of certificate services, I make a request to issue a certificate. I copy the request to the server with easyrsa and issue a certificate to the Windows subordinate certificate server.
However, when I try to import the certificate through the CA utility, I get the following message: "This certificate is not a CA certificate".
bb57b3d336f64c6e8d9d97105e1b2881.png
The CA doesn't seem to like the format of the certificate. Hence the question: How can I issue a certificate using openssl, preferably in the easyrsa binding, so that the certification authority is satisfied?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
C
CityCat4, 2016-03-09
@Logout_90

I won’t say anything about easyrsa, but the CA certificate must have a special sign that it is a CA certificate. The desire to create a CA, then release a sub-CA and issue certificates in Windows on its behalf, in principle, takes place. When there is Windows and non-Windows on the network, there are, for example, Mikrotiks, d-link, and some other devices ... Again, it is easier for users to generate certificates on openssl. But this is if you understand what to do - no easyrsa will be needed there.
If you just need a certificate service for Windows, then don't pull yourself out of the swamp by your hair - start the service and let it generate the CA root certificate by itself. True, you should immediately take into account that without an additional PKCS # 12 template, there is no way for the user to collapse - you can only getcertificate filled with data based on AD and only on one computer.
To issue a CA certificate using openssl, openssl.cnf must contain the
[ v3_ca ]
basicConstraints = CA:true
section, and when a certificate is issued with this section as an extension, it becomes a CA certificate.

Similar questions
F
Fak32011-06-18 12:14:38
Linux without swap - crashing flashplayer loves HDD (linux virtual memory subsystem) for a long time? 1Reply
A
Anatoly2018-02-17 12:56:35
How to redirect a port to another server while keeping the client's IP? 2Reply
P
p01nt2011-06-21 19:59:49
Collected or munin? 1Reply
N
Nikita Musikhin2015-10-14 15:42:35
Why can Ubuntu freeze while running? 5Reply
S
step-olga2015-10-14 17:40:21
How to properly set up a DNS server on Ubuntu 14.04 LTS? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question