> > I have generated a certificate to use as a CA root certificate. All I
> > want to do is export it as pkcs12 _without_ the private key so it can be
> > installed as a trusted certificate by the end user.
> >
> > I thought this would do it. Using OpenSSL 0.9.5a
> >
> > openssl pkcs12 -export -nokeys -cacerts -in mycert.pem -inkey mycert.key
> > -out mycert.p12
> >
> > However it still prompts me to enter an export passphrase and includes
> > the private key.
> >
> > Has anyone got any ideas?
> > What am I doing wrong?
>
> You can't import CA certificates like that. Instead you need to send the
> certificate in DER format as MIME type application/x-x509-ca-cert for
> Netscape or with an extension like .cacert or .der for MSIE.
I also have a problem to understand all the bits&pieces. Let me ask
this question: I have a self signed CA root certificate. I also
have generated a user key and the corresponding user certificate.
Now I'd like to send the user key, user certifiacte and the CA root
certificate (without CA root key) to the user as a PKCS12 file like
openssl pkcs12 -export -in user.crt -inkey user.key \
-certfile ca.crt -name "User cert for xyz" -out user.p12
I don't know what mail user agent will be used (perhaps neither Netscape
nor MSIE). What format/command should be used to exchange this
certificates (e.g. by email) to enable the user sending S/MIME
signed emails to me?
Also the other way around: what format/command should be used to
send him my certificate that he can verify my signature?
Thank you and best regards
-- Beat
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
