I had this problem, too. A workaround that does the trick for me is to - encode the key and any certificate you'd like to export to the .p12 as PEM - Paste the PEM key and all the PEM certificates into one single file (let's assume all.pem) - then issue the following command:
openssl pkcs12 -export -in all.pem -out mypkcs12.p12 -name tomcat Regards, Martin 2011/2/17 Lutz Jaenicke <jaeni...@openssl.org>: > Forwarded to openssl-users for discussion. > > Best regards, > Lutz > ----- Forwarded message from Alexander Mills <alexander.mi...@psycle.com> > ----- > > From: Alexander Mills <alexander.mi...@psycle.com> > To: r...@openssl.org > Subject: Intermediate certificate chain not included when exporting as pkcs12 > Date: Thu, 17 Feb 2011 09:15:37 +0000 > > Recently I was tasked with using a .crt and .key used in Apache for > use with Apache Tomcat. I searched around and the solution was to use > the following command, where the p7b file is the intermediate > certificate provided by Thawte. > > openssl pkcs12 -export -in myCert.crt -inkey myKey.key -out > mypkcs12.p12 -name tomcat -CAfile ssl_pkcs7.p7b -caname root -chain > > For some reason, which I am yet to fathom, the above command will not > export the intermediate chain, and thus the certificate becomes > untrustworthy. > The only solution I have been able to find is to use Internet Explorer. > > I've written the instructions for IE below, but I'm perplexed as to > why openssl isn't behaving as I thought it would have (and clearly > others feel this way). > > Open IE > Click Tools > Click Internet Options > Click Content > Click Certificates > Import the p12 file into the Personal Store > Go to the Truster Root Certification Authorities tab > Delete “Thawte Primary Root CA” issued by “Thawte Primary Root CA” > Import the intermediate file from the following link into the > Intermediate Certification tab: > https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR1373 > Right click 'Download the PKCS#7 CA' and save the file and import that > file into the Intermediate Certification AUthorities tab > Then go back to the Personal Store tab > Double click the certificate > Click the certification path tab > There should be 4 certificates in the certificate hierarchy at this > stage > Highlight the certificate in the Personal Store > Click on Export > Click 'Yes, export private key' > Click Next > Put a tick in the first checkbox only, not the other two > Finish the wizard > Rename the PFX file you create to have a p12 extension > Use the new .p12 file in Tomcat > > > > ----- End forwarded message ----- > -- > Lutz Jaenicke jaeni...@openssl.org > OpenSSL Project http://www.openssl.org/~jaenicke/ > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
