On Fri, Mar 19, 2004, Jeremy M. Guthrie wrote: > > openssl pkcs12 -in key.pem -out key.pkcs12 -export -certfile cert.pem > No certificate matches private key >
There is actually no requirement in the PKCS#12 standard to include a matching certificate and private key. However most browsers at the time did weird things if one wasn't present so OpenSSL required this. All versions of the OpenSSL pkcs12 utility should be able to extract private keys from PKCS#12 files whether they have corresponding certificates or not. In OpenSSL 0.9.7 and earlier however you needed to include a certificate which matched the given private key when you *create* a PKCS#12 using the -export option. Creating a self signed certificate is one option. In 0.9.8-dev you can create a PKCS#12 file including a private key *without* the corresponding certificate using the -nocerts option. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
