Hi,
I think in order to import a certificate with a friendly name you should
convert the X509 cert into a PKCS#7 one. You can then import the CERT.P7C
file to IE. I never really tried that, so I looked now and found no way to
convert to a PKCS#7 with the openssl utility. If there really no command
line way to do the conversion, it doesn't seem too complicated to write a
short program that does that.
Tal
> -----Original Message-----
> From: Dr S N Henson [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, April 11, 2001 2:12 PM
> To: [EMAIL PROTECTED]
> Subject: Re: pkcs12 and CA cert ?
>
>
>
> Suen Tak Tsung Daniel wrote:
> >
> > Hi All,
> >
> > I have created a CA for my organization and have sucessfully imported
> the
> > CA cert in DER format to an IE 5.5. However, I found that there is no
> > friendly name displayed. After poking through the web, someone seem to
> have
> > said that one has to use the pkcs12 format. I know it is available in
> openssl,
> > and so I issued something like:-
> >
> > openssl pkcs12 -export -cacert -nokeys -name "My Org" -caname "My Org" \
> > -in cacert.pem -out cacert.pkcs12
> >
> > and failed, saying that the command expects a private key. So, I did so
> with
> > addtional option "-inkey caprivate.pem", and I succeeded. However, it
> seems
> > that the private key is also contained in this cacert.pkcs12, which is
> kind
> > of strange. I used to think that, well, at least the DER import
> experience
> > told me that this shouldn't be necessary. Then, I imported it in IE5.5,
> and
> > it was OK, but when I viewed it in IE5.5, I found that it has a key sign
> > on it. I stopped there, and I found that other certificates come with
> IE5.5
> > don't have such a key sign. So, I just want to know, what's the proper
> way
> > of exporting my ca cert in pkcs12 format, so that IE5.5 and Netscape can
> > eat them cleanly and smoothly? Appreciate any help!
> >
>
> DO NOT DO THIS!!! This reduces your CA security to zero because any user
> can then create any certificate because you've given them a copy of its
> private key!
>
> If user certificates and private keys were imported as PKCS#12 files you
> could have added the CA certificate (not its private key!) to the file
> and included a friendly name.
>
> As things are I'm not sure if there is a way to import just a CA
> certificate with a friendly name, I've not seen this documented.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
