Hello! Preface: I can successfully create and install client certificate into netscape from SPKAC request: openssl ca -config X -spkac X -out client.crt -days X and sending it back to browaser with header: Content-Type: application/x-x509-user-cert Question: I'd like to include CA cert also into my response to browser. Manuals say you have to generate PKCS#7 for that with command openssl crl2pkcs7 -certfile client.crt -certfile ca.crt -outform DER -out X -nocrl But when I send this file back to browser it says to me "The Private Key for this certificate can not be found in your key database." Probably it sees the CA-s certificate and tries to find corresponding private key for it. I also tried to send this pkcs#7 to borwser with other headers: Content-Type: application/x-x509-pkcs7-crl and Content-Type: application/x-x509-ca-cert but no luck. The latter form gives me CA certificate but drops the actual client certificate I'm interested mostly. I also tried Content-Type: multipart/x-mixed-replace to include different Content-type-s into one response -- but it seems that Netscape do not like multipart cert-types - it didn't nothing. Finally I found out, that my CA-s certificate was generated without basicConstraints = CA:true. I generated new, corrected CA cert -- but no change. Anybody give me a hint how to get CA-s certificate into browser with same request. I know that I can install CA-s cert separately but this is not good solution because needs additional submit from user. Last but not least - IE 5 eats this kind of pkcs#7 without a problem and installs CA-cert with user-cert at once. What a shame - I used to think that Netscape is better in crypto- side than Explorer... Regards, Märt. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
