Thankyou all...Your comments helped a lot and I have managed to get my CA running perfectly..
Thanks! Anton 2010/1/12 Patrick Patterson <ppatter...@carillon.ca> > Ok - several things: > > 1: Does the certificate contain both an email address, and EKU of > emailProtection? > > 2: Did you import the CA certificate chain before trying to import the > certificate? > > 3: I presume this certificate is so that you can perform S/MIME encryption > - > do you have the correct values in Key Usage? ( keyEncipherment, > dataEncipherment) > > What does your openssl.cnf section say for the type of certificate > generated? > > What does your CA Certificate look like? > > If you want help setting up a CA that "just works" for most of these > different > kinds of certificates, you can grab our OpenSSL CA Setup guide > (http://www.carillon.ca/library/openssl_testca_howto_1.2.pdf) - it's for > the > more complex environment of CertiPath/US Federal Bridge interoperability, > but > it gives you a good idea of what is required for the various profiles of > certificates to have them work in various use cases (one size most > definitely > does NOT fit all, and the stock openssl.cnf isn't sufficient :) > > Have fun! > > Patrick. > > > On January 12, 2010 08:23:18 am Anton Xuereb wrote: > > The Client im trying to import the public key into is Thunderbird 3 on > > linux. > > > > The client on windows is MS outlook with winpgp installed for pgp > > encryption. > > > > The problem is being presented with thunderbird at the moment as I'm > trying > > to import the public key in order to be able to send encrypted emails to > > the windows machine. > > > > Thanks, > > > > Anton > > > > 2010/1/12 Mounir IDRASSI <mounir.idra...@idrix.net> > > > > > Hi, > > > > > > What mail client are you using under Windows? > > > Each mail client has its own storage for private keys (Thunderbird uses > > > local NSS key storage, Outlook uses CSP and IE certificate store). So, > > > since you generated the key outside the scope of the mail client, you > > > will certainly have to create a PKCS#12 file (called also PFX under > > > Windows) containing your private key and its signed certificate and > then > > > import this file into your mail client's key storage (for Outlook, > you'll > > > have to install the PFX by double-clicking on it). > > > So, everything depends on your mail client and how it will access your > > > private key. > > > > > > Cheers, > > > -- > > > Mounir IDRASSI > > > IDRIX > > > http://www.idrix.fr > > > > > > On 1/12/2010 12:35 PM, Anton Xuereb wrote: > > >> Hi, > > >> > > >> I'm trying to create a private CA with openssl for my enterprise. I > have > > >> generated the CA private key and certificate. I have created a key > pair > > >> and a certificate signing request from a windows pc using kleopatra > (key > > >> management utility that comes with winpgp). I signed the request with > > >> the CA's key and sent the signed certificate to the windows pc and > > >> imported the certificate. I exported the public key which I sent to my > > >> laptop. I imported the certificate of my CA into my mail client and > > >> trusted it. I then imported the public key as exported from the > windows > > >> pc. It is imported but instead of being put into the People category > > >> it's sent in the Others section as it apparently does not fit in any > of > > >> the other categories. I am therefore unable to send encrypted mail to > > >> the windows pc using it's public key as my client will not use it to > > >> encrypt. > > >> > > >> The following are the commands I used in order to get to this point: > > >> > > >> In order to generate the private key and ca certificate: > > >> > > >> # openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca > > >> -keyout private/myca.key -out certs/myca.crt -days 1825 > > >> > > >> I converted the request from DER to PEM format using: > > >> > > >> openssl req -in datareq.p10 -inform der -out datareq.csr > > >> > > >> In order to sign the request: > > >> > > >> # openssl ca -config openssl.my.cnf -policy policy_anything -in > > >> datareq.csr > > >> > > >> I'm at a loss at the moment so any help would be appreciated. > > >> > > >> Thanks , > > >> > > >> Anton > > > > > > -- > > > -- > > > Mounir IDRASSI > > > IDRIX > > > http://www.idrix.fr > > > > > > ______________________________________________________________________ > > > OpenSSL Project http://www.openssl.org > > > User Support Mailing List openssl-users@openssl.org > > > Automated List Manager majord...@openssl.org > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
