Re: Generating and using client/browser certificates.

Thu, 01 Mar 2001 20:03:26 -0800 


Grant,

Thanks for the pointers. The process ran OK for me, but IE was still not happy with 
the resultant .p12 file, telling me :

The input information is invalid.

If i assume that the .p12 file i am generating is valid, could it be that the problem 
lies elsewhere? For example a mismatch with CA info in IE or pieces of IE broken or 
missing.

In my case i ran :

openssl req -new -out clienta.csr -keyout clientakey.pem

openssl x509 -req -in clienta.csr -out clienta.pem -CAcreateserial -days 30 -outform 
PEM \
        -CA /usr/local/apache/conf/ssl.crt/server.crt \
        -CAkey /usr/local/apache/conf/ssl.key/server.key

openssl pkcs12 -export -in clienta.pem -out clienta.p12 -inkey clientakey.pem  -name 
"scott fagg"

regards,


>>> Grant <[EMAIL PROTECTED]> 1/3/01 3:52:22 pm >>>
Here's my steps to create working client certificates:

1. openssl req -new -out clienta.csr -keyout clientakey.pem

Enter the details for the certificate, i.e common name being the client/employee, "Joe 
Bloggs".

2. openssl x509 -req -in clienta.csr -out clienta.pem -CA YOUR_SERVERS_CERTIFICATE 
-CAkey YOUR_SERVERS_PRIVATE_KEY -CAcreateserial -days 365 -outform PEM

3. openssl pkcs12 -export -in clienta.pem -out clienta.p12 -inkey clientakey.pem -name 
"Joe Bloggs"

Distribute clienta.p12 (rename clienta.p12 to Joe_Bloggs.p12) to client/employee.

However, if you decide to revoke the certificate, Apache-SSL will still allow you to 
connect with the revoked certificate.

To stop IE from asking for the password every time you try and hit a webpage document, 
just set the security level to low and disable (un check) "Enable strong private key 
protection" when you first import the client certificate.

I hope this helps, it works perfectly for me.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org 
User Support Mailing List                    [EMAIL PROTECTED] 
Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to