Well, I know squat about using pkcs#12, but I've had no trouble at all generating reqs on NT and signing them with any version of openssl (be the platform linux or whatnot).
I don't think IIS is setup to export the private key either. But for a plain old x509 type of deal, I've had not a problem (just remove the text at the top of the signed req). Now, I don't have my CA running all the time, and I don't know how this effects stuff. I'm hoping its just for revokation and such, but I need to learn more. For all I know IIS says "yup, yer secure" but in reality it's all still in cleartext. Maybe I'll check the answers Chalendra(sp?) got and watch some info get transfered. (or figure out the openssl commands that do it:). Advice to self. OpenSSL is just kewler than using some MS thingy. The command that usually works for me is something like this (on your linux box that has openssl) openssl ca -config _config file_ -days _# of days_ -in _certreq_ -out _name of signed cert_ Example: openssl ca -config openssl.conf -days 365 -in certreq.txt -out signedcert.txt You may need to edit the config file a little (tell it not to care about matching CO's and such) or make sure you created your signing certificate with the same info as in the certificate request. if anything I'm sure it's pretty weak, but IIS doesn't choak on the signed certs at least. =/ Guess it depends on what you use it for and such.... On Fri, 2 Aug 2002, Michael Staszewski II wrote: > This is the link for the MS certs, sorry. > > http://sectest.rte.microsoft.com/Default.htm > > Click on 'Local Standalone CA' in the lower left of screen. > > Michael > ----- Original Message ----- > From: "Christian Hohnstaedt" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, August 02, 2002 2:57 PM > Subject: Re: self signing - me as the CA > > > > On Fri, Aug 02, 2002 at 10:34:35AM -0500, David Iungerich wrote: > > > Based on my needs, I believe utlizing the tools I already have would be > best > > > for me. That said, does anyone have a yes or no answer for me as to > whether > > > it will work. Again, the scenario follows. > > > > > > I have a situation where a test box is an NT machine. It happens to > have > > > IIS running on it. (Won't be using it, but it's there.) Anyone see any > > > issue with me using it to generate a certificate request, then taking > that > > > req over to a Linux box I have running with openssl, use open ssl to > build > > > the cert and public key, then using what was generated back on the NT > box? > > > Also, if anyone has the suggestions for the openssl command syntax, that > > > would be nice too. I'd kind of like to ultimately be using a pkcs#12 > cert > > > and public key. We'll be using a Verisign cert on our production box, > but > > > for this test box, it's NT, and I'm looking for the simplest route to > > > getting a self-signed cert on that box. > > > > consider the following: > > > > o I'm not sure, if NT/IIS will be happy with a self signed certificate to > > be used as SSL/server certificate > > > > o for creating a self signed cert from a PKCS#10 request requires the > private key > > and I'm not sure if NT/IIS enables you to export that key. > > > > > > > > Possible solutions: > > > > o create a selfsigned cert with openssl, convert it to PKCS12 and import > it > > to NT/IIS > > > > > > o create a CAcert with openssl, use it for signing the NT/IIS�request > > and import the signed request and the CA cert into your NT/IIS box > > the CA.pl tool will assist you doing this. > > > > regards > > > > Christian > > > > > > ______________________________________________________________________ > > > OpenSSL Project http://www.openssl.org > > > User Support Mailing List [EMAIL PROTECTED] > > > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
