John Douglass wrote:
> 
> After reading the document:
> 
> http://developer.netscape.com/docs/manuals/cms/41/dep_gide/dwnld.htm
> 
> I'm still a bit unclear as to what I need to do to make
> the following happen:
> 
> In one click, I'd like three CA certificates to be downloaded
> into the netscape browser.
> 
> My CA heiarchy is:
> 
>     Master CA
>     |       |
>   CA 1    CA 2
> 
> Right now, because of my inexperience, I'm having to have the
> user click on each one separately because I'm using the
> content type: application/x-x509-ca-cert which seems to only
> grab the first cert anyway and ignore the rest.
> 
> Anyone having any experience to share would be greatly appreciated.
> (i.e. what commands to type and what special {if any} directives
> for my openssl.cnf or generated CA certificates)
> 

Well my initial question is why do you need to do that? If the "Master
CA"
is installed and trusted and CA1 and CA2 have the appropriate extensions
then CA1 and CA2 don't need to be installed in order for Netscape to
trust any certificate signed by CA1 and CA2.

If however you want to install an end user certificate (client or S/MIME
for example) then the client should have the intermediate CA installed
so it can include it.

I suppose its also possible you have some other reason for adding other
CAs.

The way you handle this is by using an alternative form for the file you
send to Netscape. If you use PKCS#7 format then the first certificate is
taken as being the "target" (i.e. the one it will install as trusted)
and any following certificates will be added as untrusted, provided they
are valid CAs. You can create a PKCS#7 file with:

openssl crl2pkcs7 -nocrl -certfile rootca.pem -certfile ca1.pem
-certfile ca2.pem -outform DER -out p7.cacert

then if you send that as MIME type application/x-x509-ca-cert it should
automatically add the other two as untrusted.

Similarly if you install an end user certificate as MIME type
application/x-x509-user-cert it will add other CAs as part of the enroll
process.

The crucial point is that CA1 and CA2 must be valid CAs or they will be
rejected. Indeed OpenSSL itself will reject invalid CAs. This is with
good reason: you wouldn't want any user to be able to impersonate a CA
would you?

You can create a valid CA using the -signca option to CA.pl in OpenSSL
0.9.6 when you sign the request from CA1 and CA2.

You can check the validity of a CA with:

openssl x509 -in ca1.pem -purpose -noout

(ignore the any purpose things at the end) or manually with

openssl x509 -in ca1.pem -text -noout

this should contain a line with:

  X509v3 Basic Constraints:
      CA:TRUE

among other things.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to