[FWD] Intermediate certificate chain not included when exporting as pkcs12

Thu, 17 Feb 2011 01:41:36 -0800 

Forwarded to openssl-users for discussion.

Best regards,
        Lutz
----- Forwarded message from Alexander Mills <alexander.mi...@psycle.com> -----

From: Alexander Mills <alexander.mi...@psycle.com>
To: r...@openssl.org
Subject: Intermediate certificate chain not included when exporting as pkcs12
Date: Thu, 17 Feb 2011 09:15:37 +0000

Recently I was tasked with using a .crt and .key used in Apache for
use with Apache Tomcat. I searched around and the solution was to use
the following command, where the p7b file is the intermediate
certificate provided by Thawte.

openssl pkcs12 -export -in myCert.crt -inkey myKey.key -out
mypkcs12.p12 -name tomcat -CAfile ssl_pkcs7.p7b -caname root -chain

For some reason, which I am yet to fathom, the above command will not
export the intermediate chain, and thus the certificate becomes
untrustworthy.
The only solution I have been able to find is to use Internet Explorer.

I've written the instructions for IE below, but I'm perplexed as to
why openssl isn't behaving as I thought it would have (and clearly
others feel this way).

Open IE
Click Tools
Click Internet Options
Click Content
Click Certificates
Import the p12 file into the Personal Store
Go to the Truster Root Certification Authorities tab
Delete “Thawte Primary Root CA” issued by “Thawte Primary Root CA”
Import the intermediate file from the following link into the
Intermediate Certification tab: 
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR1373
Right click 'Download the PKCS#7 CA' and save the file and import that
file into the Intermediate Certification AUthorities tab
Then go back to the Personal Store tab
Double click the certificate
Click the certification path tab
There should be 4 certificates in the certificate hierarchy at this
stage
Highlight the certificate in the Personal Store
Click on Export
Click 'Yes, export private key'
Click Next
Put a tick in the first checkbox only, not the other two
Finish the wizard
Rename the PFX file you create to have a p12 extension
Use the new .p12 file in Tomcat



----- End forwarded message -----
--
Lutz Jaenicke           jaeni...@openssl.org
OpenSSL Project         http://www.openssl.org/~jaenicke/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to