> From: owner-openssl-us...@openssl.org On Behalf Of Edward Ned Harvey (openssl) > Sent: Thursday, April 24, 2014 16:15
> > > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in > > mycert.crt -certfile intermediate.crt -CAfile ca.crt > > > (Correct?) > > So ... I just tried this, and confirmed, that it doesn't work... The root CA cert is > not included in the pfx. > Works for me. Are you sure you used the correct root? Note that you can put a mismatching root in the pkcs12 using the other ways (infile or -certfile) and the pkcs12 will still work correctly often -- at least IE+Chrome, Firefox, and Java using JKS. > > > Alternatively, I could > > > cat mycert.crt intermediate.crt ca.crt > mychain.crt > > > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in > > mychain.crt > > It seems the easiest thing to do is... > > cat intermediate.crt ca.crt > chain.crt > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in mycert.crt - > certfile chain.crt > Both of those will always put the (putative) root. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
