Exporting Root CA certificates without the private key

Latest response

Is there a facile method using NSS certificate utilities to export a Root CA certificate without it's private key?

Responses

Hello

If you have a certificate from an outside source then you do not have the private key.

Can you tell us what it is you are trying to do and on what release? As our guides are being rewritten with tasks in mind it would help us to know.

Hi Stephen
I should've mentioned that I'm using self-signed CA's.
Working on establishing an VPN connection between my rhel 7 VPN server and windows 7 clients.
After much "wailing and knashing of teeth" I found that the windows client also required a Trusted Root CA for the VPN server.
So after some testing of various methods to generate a Trusted Root "Public" CA for my VPN server cert, SANS the private-key.
I found that the follow certutil command works:

certutil -L -d dbm:/etc/ipsec.d/nss -n IDS_VPN_PUBLIC_CA -a -o /etc/ipsec.d/cacerts/ids_vpn_public_ca.crt

I then imported the CA into my test win7 system's Trusted Root CA Store via the windows mmc tool.

So that works for me.

Cheers
Guy

That is good news. When you said "root" I thought you meant not self-signed but a "real" CA certificate.

Well Stephen a self-signed CA is operationally a "real" CA.
Of course it's use is limited to one's own system but it does function as a CA.
It's been my experience with regard to corporate intranets self-sgned CA are used fairly extensively.
IBM's mainframe security-server RACF can generate them
I keep pluggin' away at this stuff I may actually understand it one day ;-)

Cheers
Guy

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.