Dr Stephen Henson wrote: > Anyway there are a couple of formats for "chains". The "standard" > version if PKCS#7 where you can do... > > openssl crl2pkcs7 -nocrl -certfile user.pem -certfile ca.pem -outform > DER -out p7.der > > You can use -certfile multiple times and each file can contain multiple > certificates, just make sure the first certificate of the first file is > the user certificate. Yeah! That did it, wonderful! I'm really indebted... Even if sometimes PKCS#7 did cross my mind, I would have never guessed something starting with 'crl2' would be the thing... > If you send that as MIME type application/x-user-cert it should work. > If you want PEM format I think Netscape is expecting CERTIFICATE in the > bas64 version while OpenSSL uses PKCS#7 in the BEGIN and END lines, so > you may need to edit that. I have not tried PEM format, I used DER, but I will keep this in mind for later (when I will want PEM probably). > The other format is a Netscape specific format called a "Netcape > certificate sequence". The program 'nseq' in 'openssl' can handle these. Oh, so far I was monkeying with asn1parse and the like to extract certificates from Netscape chains, I did not notice there was an 'nseq' thing. Pity does not grok DER, though. > The command arguments only allow one file at present and only PEM > format. > This should do the trick though: > openssl nseq -toseq -in certs.pem -out nseq.pem > Then send nseq.pem as before. You can use PEM format this time. But it will take several certs from the file, as far as I can see from the code and from the 'certs.pem' filename you chose, right? Thanks again, Julio ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
