I’m trying to setup a scenario where I have a CA on a server and I’d like to generate requests and sign them on that same server. I'm using this on Centos 6.5 and using Easy-RSA 3.
I can make this work to init the pki, build the CA, and generate one server certificate, like so:
Code: Select all
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req $HOSTNAME nopass
./easyrsa sign-req server $HOSTNAME
Code: Select all
userName=$1
./easyrsa gen-req $userName nopass # this works
./easyrsa sign-req client $userName # this doesn’t
Code: Select all
[root@vps93298 easyrsa3]# ./easyrsa sign-req client zobi
Using configuration from /home/easyrsa/easy-rsa/easyrsa3/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'IDF'
localityName :PRINTABLE:'Paris'
organizationName :PRINTABLE:'Something'
organizationalUnitName:PRINTABLE:'Private Signing Authority'
commonName :PRINTABLE:'vps93298.somedomain.io'
emailAddress :IA5STRING:'admin@somedomain.io'
Certificate is to be certified until Apr 26 16:46:10 2024 GMT (3650 days)
failed to update database
TXT_DB error number 2
Easy-RSA error:
signing failed (openssl output above may have more detail)
[root@vps93298 easyrsa3]#
Is this not supported? I realize that the documentation says that signing requests are done on another system (or anoter pki path I suppose) but it would be very useful to me to get all that to work on just one PKI. Is it possible?
Any help would be appreciated!