On Mon, Oct 31, 2005, Cesc wrote: > > > For the sake of completion in this thread, this is what i did ... > openssl crl2pkcs7 -nocrl -certfile user.pem -certfile > intermediate.pem-certfile > root.pem -outform DER -out user.p7c > Actually, the root.pem cert needs not be included ... as long as it is in > the trusted certs repository it all works fine. > > I got this to work in windows (add root.pem as trusted, then double click on > user.p7c and it says trusted).
Ah, the PKCS#7 stuff was when you were installing the certificate corresponding to a private key. If you just want a browser to trust anything signed by the root CA you just need to install the root CA as trusted. It is the peers responsibility to send out intermiediate certificates (at least for SSL and normally for S/MIME too). > But, will this user.p7c be accepted on the setup of the web server (apache)? > i tried using it with s_server ... no luck. For those cases you can include the certificates in the trusted store (e.g. concatenate them and use the -CAfile option) or include the intermediate CA in the extra certificates option for Apache. You can use s_client to check they are all sent out when you connect. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
