On Tue, Jul 22, 2003, 5468696A6D656E wrote: > (resend because it seems not to have arrived at the list, maybe because it > is subscribers only?) > > Sorry if this has been asked before, but i have a few questions regarding > creating a ca root certificate: I create the root certificate like this: > > ../openssl req -config ../ca.cnf -x509 -new -days 3652 -out > domain_comCA.cert -keyout domain_comCA.key > > The resulting .cert file i use in apache's SSLCACertificateFile config entry > > Then i create a pkcs12 file for people to download (because that supports > the "friendly name") ../openssl pkcs12 -export -nokeys -inkey > domain_comCA.key -in domain_comCA.cert -out file.p12 -caname "Domain.com > Certification Authority" -name "Domain.com" > > Later on i create a site certificate for a server, which will get signed by > this root certificate. It all works really nice, however i do have some > questions: > > How can i add a "issuer statement" so you user can check on with the CA's > policy is. (this is usually a url) The pkcs12 exports the private key as > well, allthough i thought -nokeys should prevent that. Why is that? I saw > no difference with or without -nokeys in the exported pkcs12 file. (the have > the same size) I dont want my private key up for download, so how can i > prevent that? >
In OpenSSL 0.9.7 and earlier -nokeys only affects outputted files when converting from PKCS#12 to PEM. Many browsers only handle PKCS#12 files properly when a private key is included and give strange errors when one is absent. Some of the newer versions can handle them though so OpenSSL 0.9.8 does handle -nokeys when creating a PKCS#12 file. Read the FAQ as to why you shouldn't include the CA private key: it reduces your CA security to zero. Instead you should send the file with a link including it as type application/x-x509-cacert and an appropriate extension such as .cer The policy can be set using the certificatePolicies extension, see doc/openssl.txt. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
