Beat Jucker wrote: > > > I also have a problem to understand all the bits&pieces. Let me ask > this question: I have a self signed CA root certificate. I also > have generated a user key and the corresponding user certificate. > Now I'd like to send the user key, user certifiacte and the CA root > certificate (without CA root key) to the user as a PKCS12 file like > > openssl pkcs12 -export -in user.crt -inkey user.key \ > -certfile ca.crt -name "User cert for xyz" -out user.p12 > > I don't know what mail user agent will be used (perhaps neither Netscape > nor MSIE). What format/command should be used to exchange this > certificates (e.g. by email) to enable the user sending S/MIME > signed emails to me? >
With Netscape and MSIE you need to save the PKCS#12 file somewhere and manually import it using the certificate wizards. With MSIE it will also prompt you to add the root CA to the trusted store if its not already present. Other applications may use different techniques or indeed may not understand PKCS#12 format at all. > Also the other way around: what format/command should be used to > send him my certificate that he can verify my signature? > If the user already has the root CA installed on his system then it should just be a case of sending him a signed email. If the root CA isn't installed then the verification will fail. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
