Those steps are correct after putting the -req on 2b. It did generate
p12 client certificate and I was able to load it on Netscape
communicator. It did try to authticate with the sever, but I think I
used a different private key so the authentication failed. So in short
summary, those steps did work to generate client certifitcate. BTW
I'am using linux 6.0 and SSL 0.9.4..
Hector Jimenez Pensado writes:
> I posted the original question (MSIE 5 connot import personal certificate)
> You say yo cannot use step 2b? I am using opensssl 0.9.3a not 0.9.4.
>
> I read a note in the microsoft knowledge base where it said that in
> order to use a personal certificate, you need to logon to windows
> as the same user as the information in the certificate. How this is
> done I have no idea, don�t know how to associate the certificate
> and the user profile. The closest I got was:
>
> 1. In the MSIE 5 Tools mene, under Internet Options, I
> selected Content, then My profile. A window apears and
> the last tab (upper menu) says: Digital ID, I added
> the same email account as the one in the personal certifcate
> I created with openssl. But It does not appear in the
> Personal certificates list, it appears in the Other People
> certificate lists. This doesn�t work. I need to put it
> in the personal list. Seems like the Other People list
> does not work for the browser to send a client certificate.
>
> I tried the suggestions from Dr. Henson�s reply but don�t work.
> I am wondering that the steps I made miss something, a signature,
> a certificate or some other information:
>
> 1. Are those steps correct?
> 2. I did not understand where to add the -certfile option, at the signature
> of the request?
>
> Thank you.
>
> Hj
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Yunhong Li
> > Sent: Mi�rcoles 8 de Septiembre de 1999 7:03 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Confused
> >
> >
> >
> > I got the same problem with version 0.9.4. 'apps/x509.c' tries to read
> > 'client.csr' as a certificate, not a certificate request. But,
> > 'client.csr'
> > is a certificate request. I believe the cmd should be:
> >
> > "openssl x509 -req -in client.csr ..."
> >
> > Meanwhile, I got another question. Is it possible to generate a
> > certificate
> > with "Global Server ID" myself, not from Versign or other CA?
> >
> > Thanks.
> > Yunhong
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Biren Patel
> > Sent: Wednesday, September 08, 1999 4:22 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Confused
> >
> >
> >
> >
> > I seem to have problem generating the client certificate. I tried step 2b
> > below
> > and I get error. I tried various ways and it fails. Here is the
> > error I get.
> > Any help will be greatly appreciated.
> >
> > [root@ns2 /opt/SSL/misc] openssl x509 -in client.csr -out client.cert
> > -CA ourca.cert -CAkey private.key -CAcreateserial -days 1024
> >
> > unable to load certificate 6053:error:0906D06C:PEM
> > routines:PEM_read_bio:no
> > start line:pem_lib.c:610:
> > [root@ns2 /opt/SSL/misc]
> >
> > I also tried direction from the pkcs12 home site and it fails at
> > signing the client request. Please help. Going crazy.
> >
> > Dr Stephen Henson writes:
> > > Hector Jimenez Pensado wrote:
> > > >
> > > > Hi,
> > > >
> > > > I cannot get MSIE 5 to add a personal certificate
> > > > that I added with openssl:
> > > >
> > > > 1. Generated a CA with:
> > > > a) The private key:
> > > > openssl genrsa -des3 -out private.key 1024
> > > > b) The self-signed certificate:
> > > > openssl req -x509 -new -key private.key -out ourca.cert
> > > >
> > > > 2. Generate client requests with:
> > > > a) Generate the client request and private key:
> > > > openssl req -new -outform PEM > client.csr
> > > > b) Sign that request with our CA
> > > > openssl x509 -in client.csr -out client.cert -CA ourca.cert -CAkey
> > > > private.key
> > > > -CAcreateserial -days 30
> > > > c) Generate a PKCS12 certificate:
> > > > openssl pkcs12 -export -in client.cert -out client.p12 -inkey
> > privkey.pem
> > > >
> > > > So, if I do a double-click in the file client.cert in my win95
> > > > I get asked where to put the certificate, I tell Personal, I get
> > > > a succesfull import message but the certificate never shows in the
> > > > list.
> > > > I do the same with ourca.cert and it gets imported ok in the
> > > > Trusted Certificate lists, that works ok.
> > > >
> > > > If I import the client.p12, I do get prompted for the password but
> > > > then I get an invalid format error.
> > > >
> > > > What am I missing, I only want to be able to:
> > > >
> > > > 1. Generate my CA which I think I have done correctly (please
> > > > advice if my procedure is wrong, and a little elaborate
> > > > response other than: "use CA.pl").
> > > > 1a)Don�t want to be asked for the CA password!
> > > >
> > > > 2.Generate client certificates which I can add to MSIE.
> > > >
> > >
> > > You need to import the '.p12' file, if you give it the extension ".pfx"
> > > then you should be able to double click on it with IE5. You can add the
> > > option:
> > > -certfile ourca.cert
> > > to the PKCS#12 step and it should add your CA automatically with IE5.
> > >
> > > You should also note that the PKCS#12 file (.p12 file) is a binary file
> > > so will be corrupted if it is transferred in text mode.
> > >
> > > Steve.
> > > --
> > > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> > > Personal Email: [EMAIL PROTECTED]
> > > Senior crypto engineer, Celo Communications: http://www.celocom.com/
> > > Core developer of the OpenSSL project: http://www.openssl.org/
> > > Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> > >
> > > ______________________________________________________________________
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List [EMAIL PROTECTED]
> > > Automated List Manager [EMAIL PROTECTED]
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> >
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
