John Douglass wrote: > > After reading the document: > > http://developer.netscape.com/docs/manuals/cms/41/dep_gide/dwnld.htm > > I'm still a bit unclear as to what I need to do to make > the following happen: > > In one click, I'd like three CA certificates to be downloaded > into the netscape browser. > > My CA heiarchy is: > > Master CA > | | > CA 1 CA 2 > > Right now, because of my inexperience, I'm having to have the > user click on each one separately because I'm using the > content type: application/x-x509-ca-cert which seems to only > grab the first cert anyway and ignore the rest. > > Anyone having any experience to share would be greatly appreciated. > (i.e. what commands to type and what special {if any} directives > for my openssl.cnf or generated CA certificates) > Well my initial question is why do you need to do that? If the "Master CA" is installed and trusted and CA1 and CA2 have the appropriate extensions then CA1 and CA2 don't need to be installed in order for Netscape to trust any certificate signed by CA1 and CA2. If however you want to install an end user certificate (client or S/MIME for example) then the client should have the intermediate CA installed so it can include it. I suppose its also possible you have some other reason for adding other CAs. The way you handle this is by using an alternative form for the file you send to Netscape. If you use PKCS#7 format then the first certificate is taken as being the "target" (i.e. the one it will install as trusted) and any following certificates will be added as untrusted, provided they are valid CAs. You can create a PKCS#7 file with: openssl crl2pkcs7 -nocrl -certfile rootca.pem -certfile ca1.pem -certfile ca2.pem -outform DER -out p7.cacert then if you send that as MIME type application/x-x509-ca-cert it should automatically add the other two as untrusted. Similarly if you install an end user certificate as MIME type application/x-x509-user-cert it will add other CAs as part of the enroll process. The crucial point is that CA1 and CA2 must be valid CAs or they will be rejected. Indeed OpenSSL itself will reject invalid CAs. This is with good reason: you wouldn't want any user to be able to impersonate a CA would you? You can create a valid CA using the -signca option to CA.pl in OpenSSL 0.9.6 when you sign the request from CA1 and CA2. You can check the validity of a CA with: openssl x509 -in ca1.pem -purpose -noout (ignore the any purpose things at the end) or manually with openssl x509 -in ca1.pem -text -noout this should contain a line with: X509v3 Basic Constraints: CA:TRUE among other things. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
