On Fri, Jan 18, 2008, Charles Lindsay wrote: > I would like to create a key+certificate using OpenSSL, and import > that to MS SqlServer 2005 for it to use for encrypted sessions (please > don't ask why I need to do this, some of us are just cursed). > Microsoft imposes various restrictions on such certificates, including > one I do not understand: > from: http://blogs.msdn.com/sql_protocols/archive/2005/12/30/508311.aspx > "The Certficate's key spec must include AT_KEYEXCHANGE property" > > Can anyone tell me whether this is a property of the key as generated > by OpenSSL (and how would I modify my openssl commands) to do so), or > would it be purely something I have to set while importing the key > into MS land (I know this isn't the forum for the latter). > > > > The commands I use to generate the key+cert: > openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem > -out mycert.pem > openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "My certificate" > openssl x509 -inform PEM -in mycert.pem -fingerprint -sha1 -noout > > (the last I use just to extract the fingerprint to jam into the MS > registry -- which for reasons beyond my ken they refer to as a > "thumbprint"). >
AT_KEYEXCHANGE is an MS specific thing which indicates the usage the key can be put to. It should be the default when you import a PKCS#12 file. You can explicitly include the MS specific flag with the -keyex switch to the pkcs12 command but it shouldn't be necessary. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
