> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Dave Thompson
>
> - the truststore if -CAfile and/or -CApath specified IF NEEDED
Thank you very much for your awesome detailed answer. This answers a lot of
questions, but I am left with a new one:
I use openssl on a lot of different platforms, and it always seems to be built
differently... OSX native, OSX homebrew, various linuxes, openindiana, cygwin,
nuGet in Visual Studio, etc. I don't know if these builds universally include
any set of root CA's, and sometimes I can find a directory to answer my
question, sometimes not.
Is there some way I can make openssl tell me the list of roots it has? Or tell
me the directory (directories) that it searches?
It seems, to answer my original question, *if* I can trust that openssl on the
platform that I'm using actually as a complete-ish set of root CA's, then the
best and easiest way to build the pfx will be:
openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
mycert.crt -certfile intermediate.crt
(Correct?)
And if the above doesn't automatically include the root CA for my chain (or if
I just like doing it explicitly), then I can do this:
openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
mycert.crt -certfile intermediate.crt -CAfile ca.crt
(Correct?)
Alternatively, I could
cat mycert.crt intermediate.crt ca.crt > mychain.crt
openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
mychain.crt
(Correct?)
Thanks...
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
