As far as I know there are only two ways for importing a CA certificate
into Netscape browser:

        1) Through an HTTP/HTTPs connection to a Web server hosting the
CA certificate (using MIME type application/x-x509-ca-cert)

        2) Importing it piggybacked in an user PKCS#12 (i.e., you import
an user certificate and the CA certificate)

I have never used PKCS#12 for importing CA certificates only .It bothers
me to learn that it could be a proper usage of PKCS#12 format. I always
thought about it as a means for moving certs and keys around with
certain amount of confidentiality and integrity.

It is kind of annoying that every PKI paper states the need for
out-of-band initialization of CA certificates and Netscape/Mozilla
browsers does not support common formats (IE uses PKCS#7 for example,
much more suited to this purpose).

Hope it helps


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Hall
Sent: Friday, 22 November, 2002 9:13 
To: [EMAIL PROTECTED]
Subject: Re: Converting own CA certificate to pkcs12


On Thu, 21 Nov 2002, mikecross wrote:

> Seems to me that you problem is that you didn't supply password.
> PKCS12 format stores Private + Public key pair
> encrypted with password.

Why would I want to store all this in a pcks12 file that
I want to give to clients/other people to import into
their browser? Why would I want to encrypt it when I want
it made freely available?

Anyway - if someone could confirm how to take a Certificate Authority
Certificate, convert it into pkcs12 and put it into a form for Mozilla
or Netscape to import, that would be great.

> > Converting it to DER format was easy:
> >
> > openssl x509 -in ca.crt -out ca.der -outform DER
> >
> > I'm having issues doing the same with pkcs12, I
> > found something
> > that seemed close:
> >
> > openssl pkcs12 -export -inkey ca.key -in ca.crt -out
> > ca.p12 -name
> > "Angui.sh Certificate Authority"
> >
> > But I thought I remember seeing a warning against
> > doing that since
> > it may include sensitive information into that file.
> > And what's with
> > the Export and Import passwords? What are they
> > exactly? Am I missing
> > some other command-line args, or is there a better
> > way?
> >
> > Can someone help?
> >
> > Thanks!
> >
> > --
> > It's always September somewhere on the 'net. | http://angui.sh
> > Another proud member of Eep's killfile.      | Unix
> > Sys. Admin.
> > unreal://angui.sh                            |
> > [EMAIL PROTECTED]
> >
> >
> ______________________________________________________________________
> > OpenSSL Project
> > http://www.openssl.org
> > User Support Mailing List
> > [EMAIL PROTECTED]
> > Automated List Manager
> [EMAIL PROTECTED]
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus – Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
>

-- 
It's always September somewhere on the 'net. | http://angui.sh
Another proud member of Eep's killfile.      | Unix Sys. Admin.
unreal://angui.sh                            | [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to