Hello and thanks for reading this:
I use OpenSSL 0.9.5a, Red Hat Linux 6.2, Intel platform.
I'm trying to produce PKCS#12 files to be able to keep the all generation
process under my control and to distribute only one file (BTW: why is it
taken for such a security bug?). I do it the following way:
First I generate the certificate request
openssl req -new -out certreq.pem -keyout certreq-privkey.pem -outform PEM
...then I sign it...
openssl x509 -req -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial
-in /usr/local/ssl/certreq.pem -outform pem -out newcert.pem
...and then I try to export it in PKCS#12 format
openssl pkcs12 -export -inkey certreq-privkey.pem -certfile cacert.pem -in
newcert.pem -out pkcs12cert.p12
My openssl.cnf contains in its default section:
x509_extensions = usr_cert
and my [ usr_cert ] section contains only
basicConstraints=CA:FALSE
I've also tried to uncomment
nsCertType = client, email
When I test source PEMs for pkcs12 with x509 -purpose, it says they can be
used for S/MIME signing and encryption.
BUT: whenever I import this PKCS#12 file to Netscape Communicator 4.73
(what works smoothly) and try to send a signed e-mail, it says that I don't
have an e-mail certificate.
My experimental certificate authority obviously works ok,
because when I generate a request from Netscape Communicator using
<KEYGEN>,
then format it into
C= ...
ST= ...
...
SPKAC=...
file, sign it with
openssl ca -spkac req.raw -out ucert
and download this file with small script as x-x509-user-cert to Netscape, I
CAN send signed e-mail.
What's wrong with my PKCS#12 file? Any idea, what else could be wrong?
===> Thanks in advance! <===
Ivan Dolezal
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
