On 10/04/01 10:58 PM, Averroes sat at the `puter and typed: > Hi Louis, > > I have a new question for you. > > After making the certifiate chain, > Say, Root-CA --> Sub-CA --> User-Cert. > I want to publish this CAuthority chain in pkcs7 file. > > Do you think it is the best format, if not which format > do you prefere for that? > > And Which openssl's command do I need to use to produce > this chain? > > Any ideas or comments will be very appreciated!
Actually, you probably just want to create the chain out of the intermediate CA certificates in PEM format - don't include the keys. Here's a layout: server_cert <- int_ca_1 <- int_ca_2 <- . . . <- int_ca_n <- root_ca You get the idea. Your chain file should consist of the intermediate certs int_ca_1 - int_ca_n, and in that order. The cert that signed your server should be at the top of the chain, then the cert that signed that one, etc. I'm under the impression that the root CA can be included in the chain (at the end) but is not needed. If you are running Apache, you would want to point to it in httpd.conf with the SSLCertificateChainFile directive. The root CA should be installed on the browser in question, and can be installed by serving it with the proper mime type. Your httpd.conf should have something like the following: <IfDefine SSL> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfDefine> Put the root ca in the html tree wherever you deem appropriate, and request it from the browser. Once you have installed it, and the cert chain is properly defined, your browser should trust the server implicitly. HTH Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ vuja de: The feeling that you've *never*, *ever* been in this situation before. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]