Much newer, that one is from Netscape 4.72. Well, my mistake thought it was some sort of hidden thing... :) (made sense to me since it contains the public keys of all trusted CAs)
Great stuff there commands and all, thanks a lot. -----Original Message----- From: Brad House [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 4:59 PM To: [EMAIL PROTECTED] Subject: Re: Trusted CA list The certs are not hard-coded into IE at all... While in IE6, go to Tools->Internet Options Click on the Content Tab Click on the Certificates Button Click on Trusted Root Certificat Authorities Then select the entire list (click on first one the shift-click the last one) And click the export button. This will export in PCKS #7. (name the file certs.p7b) Then issue this openssl command line option to convert to a more readable (PEM) format: openssl pkcs7 -inform DER -outform PEM -in certs.p7b -out certs.pem -print_certs If you'd like more detailed info about the certificates just append a -text to the above command line ... Then you've got a perfect PEM file for use with openssl!!! (and is newer than the one provided by mod_ssl) -Brad Roberto Rodrigues - McLean wrote: > still there. > > thank you. > > -----Original Message----- > From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 03, 2002 4:14 PM > To: '[EMAIL PROTECTED]' > Subject: Re: Trusted CA list > > > On Fri, May 03, 2002 at 03:18:06PM -0400, Roberto Rodrigues - McLean wrote: > >>Is the Trusted CA list (with the respective CAs public keys) available >>anywhere ? Internet Explorer has it hard-coded, now and then we see some >>patch coming from MS that updates the ROOT CA list. How does Netscape (or >>Mozilla) check the CAs signatures ? Do they also have the list ? >> >>Does Verisign pay Microsoft to put the list in the Browser or MS pays >>Verisign for the list ? >> >>Finally, if one is writing a new browser, how can it be capable of > > verifying > >>the authenticity (signature) of the certificates received from servers >>without having the respective CAs public keys to check the signature with > > ? > > The extracted list usable for OpenSSL should be included in the > mod_ssl package (or at least it used to be, didn't check recently). > > Best regards, > Lutz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]