David Feilen wrote: > > I have generated a certificate to use as a CA root certificate. All I > want to do is export it as pkcs12 _without_ the private key so it can be > installed as a trusted certificate by the end user. > > I thought this would do it. Using OpenSSL 0.9.5a > > openssl pkcs12 -export -nokeys -cacerts -in mycert.pem -inkey mycert.key > -out mycert.p12 > > However it still prompts me to enter an export passphrase and includes > the private key. > > Has anyone got any ideas? > What am I doing wrong?
You can't import CA certificates like that. Instead you need to send the certificate in DER format as MIME type application/x-x509-ca-cert for Netscape or with an extension like .cacert or .der for MSIE. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
