On Thu, Jan 02, 2003, Ed Harty wrote: > Hi, > > I am generating a client cert for Apache using openssl with my own CA as > follows: > > openssl genrsa -out client.key 1024 > openssl req -new -key client.key -out client.csr > openssl x509 -req -days 365 -CA myCA.cert -CAkey myCA.key -CAcreateserial > -in client.csr -out client.crt > openssl pkcs12 -chain -export -clcerts -CAfile myCA.cert -in client.crt > -inkey client.key -out client.p12 -chain -name "Cert friendly name" > > When I import the cert into IE 5.5 everything is fine except that the cert > is suitable for the following: > > Windows System Component Verification > Windows Hardware Driver Verification > Allow data on disk to be encrypted > Allow secured communication on Internet > Allow you to digitally sign a Certificate Trust List > Allow data to be signed with the current time > Ensure e-mail came from sender > Protect e-mail from tampering > Ensure the content of e-mail cannot be viewed by others > Protect software from tampering after publication > Ensure software came from software publisher > Guarantee your identity to a remote computer > > > QUESTION: How do I set the cert for basic options only, i.e. verify > computer identity ??? >
Add an extended key usage extension with appropriate usages, see doc/openssl.txt Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]