Re: pkcs12 and CA cert ?

Wed, 11 Apr 2001 04:53:15 -0700 



Suen Tak Tsung Daniel wrote:
> 
> Hi All,
> 
> I have created a CA for my organization and have sucessfully imported the
> CA cert in DER format to an IE 5.5. However, I found that there is no
> friendly name displayed. After poking through the web, someone seem to have
> said that one has to use the pkcs12 format. I know it is available in openssl,
> and so I issued something like:-
> 
> openssl pkcs12 -export -cacert -nokeys -name "My Org" -caname "My Org" \
>    -in cacert.pem -out cacert.pkcs12
> 
> and failed, saying that the command expects a private key. So, I did so with
> addtional option "-inkey caprivate.pem", and I succeeded. However, it seems
> that the private key is also contained in this cacert.pkcs12, which is kind
> of strange. I used to think that, well, at least the DER import experience
> told me that this shouldn't be necessary. Then, I imported it in IE5.5, and
> it was OK, but when I viewed it in IE5.5, I found that it has a key sign
> on it. I stopped there, and I found that other certificates come with IE5.5
> don't have such a key sign. So, I just want to know, what's the proper way
> of exporting my ca cert in pkcs12 format, so that IE5.5 and Netscape can
> eat them cleanly and smoothly? Appreciate any help!
> 

DO NOT DO THIS!!! This reduces your CA security to zero because any user
can then create any certificate because you've given them a copy of its
private key!

If user certificates and private keys were imported as PKCS#12 files you
could have added the CA certificate (not its private key!) to the file
and included a friendly name.

As things are I'm not sure if there is a way to import just a CA
certificate with a friendly name, I've not seen this documented.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to