Gunther Schadow wrote:
>
> I am trying to set up an easy way for people to get their cert
> into their MS Internet Explorer v4.0 and up. I know it works
> with Verisign certs and I have a snapshot trail from what they
> do. But I can't get my certs processed. The best I can get is
> a dumb error number from the ICenroll.acceptPKCS7 routine. I found
> no intelligible description of this stuff apart from examples.
> However, vanilla examples don't help me find my bug. So, is there
> someone out here who has mastered this magic and can give me some
> guidance? BTW: when I produce a PKCS12 file with OpenSSL and
> try to import that, the IE will crash right away.
>
OK since Xenroll is the most secure way to give individuals certificates
I'll stick to that problem.
Can you outline what you've done?
Normally you do something like this.
1. Generate a PKCS#10 request with Xenroll. Set the KeySpec to 1 and
GenKeyFlags to 3.
2. Add BEGIN and END lines to it and get OpenSSL to sign the request.
3. Use crl2pkcs7 to generate a PKCS#7 file with the user certificate in.
4. strip off the begin and end lines and stuff the result into
acceptPKCS7.
IE 4.0 BTW is pretty horrible when it comes to certificates and in
particular PKCS#12 files: it rejects perfectly valid files because they
don't fit in with its very narrow version of the spec. IE 5.0 is much
better.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
