> Some people have reported success by converting the key to NET format:
>
> openssl rsa -in prkey.pem -outform NET -out key.net
>
> The latest snapshot of OpenSSL also has an -sgckey flag which
> is needed
> on some version of IIS which use a modified algorithm.
OK, I seem to have it working. For anyone who cares:
1) The key file must be in NET format, with a password, but can be encrypted
in DES or DES3 or IDEA.
2) The password Key Manager asks for is the password to the key file (not
the IUSR_<hostname> password as someone claimed).
3) I only managed to get it to work with key RSA moduli lengths that were a
power of 2: 512, 1024, and 2048 all worked, but 2100 and 2096 didn't: IIS
accepted the key, but communication failed when trying to use it.
4) The certificate file must not have any text in it before the certificate,
so don't use the -text option on the x509 or ca command you sign it with.
5) SHA-1 certificate signing works, and is arguably more secure than the IIS
default of MD5
So I've managed to move from 1024-bit RSA modulus with MD5 signing generated
by propriatory Microsoft-written code with an unknown random number genrator
to a 2048-bit RSA modulus with SHA-1 signing generated by openssl where I
can seed rand myself.
--Roger Dearnaley <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
