(resend because it seems not to have arrived at the list, maybe because it is subscribers only?)
Sorry if this has been asked before, but i have a few questions regarding creating a ca root certificate: I create the root certificate like this: ../openssl req -config ../ca.cnf -x509 -new -days 3652 -out domain_comCA.cert -keyout domain_comCA.key The resulting .cert file i use in apache's SSLCACertificateFile config entry Then i create a pkcs12 file for people to download (because that supports the "friendly name") ../openssl pkcs12 -export -nokeys -inkey domain_comCA.key -in domain_comCA.cert -out file.p12 -caname "Domain.com Certification Authority" -name "Domain.com" Later on i create a site certificate for a server, which will get signed by this root certificate. It all works really nice, however i do have some questions: How can i add a "issuer statement" so you user can check on with the CA's policy is. (this is usually a url) The pkcs12 exports the private key as well, allthough i thought -nokeys should prevent that. Why is that? I saw no difference with or without -nokeys in the exported pkcs12 file. (the have the same size) I dont want my private key up for download, so how can i prevent that? Please include my email when replying, as i am not on this list. Thanx! Th. -- __Thijmen Klok________ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
