FAQ

I have successfully created a certificate request. The file with suffix .spkac or .pem was stored in directory $dir/newreqs. How to issue the certificate?
You have to issue the cert manually by invoking “openssl ca” command.

Cert request created with Netscape or Opera:

openssl ca -name [name of CA section] -spkac [pathname of CSR.spkac]

Cert request created with M$ IE:

openssl ca -name [name of CA section] -in [pathname of CSR.pem]

This creates the certificate and stores it into newcerts/ as file [serial].pem. Call ca-cycle-pub.py afterwards and receive e-mail…

Do I need LDAP for deploying pyCA?
No. pyCA supports uploading certificates to a LDAP server but all data needed is stored in the directory structure in your file system.
How can I store the issued end-entity certificates on a LDAP host?
Mainly the certificates will be replicated by certs2ldap.py to a LDAP server by searching existing entries and adding the DER-encoded certificate into attribute userCertificate;binary. Expired certificates may be deleted (use carefully!).
New LDAP entries will not be created because most times the LDAP directory structure differs from the cert DN structure. It is up to your LDAP admin to create entries for the end entities.
How can I store the CA certificates and CRLs on a LDAP host?
ca2ldif.py can create a LDIF file of you CA cert hierarchy which you can upload to the LDAP server using the usual tools shipped with your LDAP server software.
Currently the CRLs are not updated on a regular basis.
It seems that during parsing the lines of openssl.cnf an exception is raised. Why is that happening?
Please check that the attribute values of single-valued configuration attributes do not contain a comma. A comma is used if a configuration attribute may have multiple values which are delimited by comma. (Frankly the openssl.cnf syntax and my parser suck both. I wouldn’t use openssl.cnf for configuration today anymore.)