Appreciate if any learned OpenSSL folks could comment of if below steps are suitable for creating a cacert with a "friendly" name?
openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crt -days 730 openssl pkcs12 -export -in ca.crt -out newca.crt -name "My Certificate" ----- Original Message ----- From: Hopkins, Nathan To: 'openssl-users@openssl.org' <openssl-users@openssl.org> Sent: Sun Dec 04 19:56:45 2011 Subject: Re: Friendly name Hi, please can anyone confirm below would be the full process? ----- Original Message ----- From: Hopkins, Nathan To: openssl-users@openssl.org <openssl-users@openssl.org> Sent: Fri Dec 02 22:50:47 2011 Subject: RE: Friendly name Many thanks Jakob / Dr.Henson - so would the below be the full process? openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crt -days 730 openssl pkcs12 -export -in ca.crt -out newca.crt -name "My Certificate" Are there any implications of put the cert inside a pkcs12 container? -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 02 December 2011 09:10 To: openssl-users@openssl.org Subject: Re: Friendly name Hi, First, sorry for my previous response about an OID, I didn't check enough details before I posted. Based on what Dr.Henson wrote and my own knowledge, here is a better answer: The friendly name is NOT a field in a certificate. It is just a "file name" that the certificate be stored under in some programs, especially those from Mozilla and Microsoft. This would mean there are 2 ways to set the friendly name: A) Import the certificate (without the private key since this is supposed to be a secure CA) in the M or M software and set the "friendly name" in the user interface of that program. B) Use openssl to put the certificate (without the private key!) in a PKCS#12 "certificate backup" file and set the friendly name of the certificate in that PKCS#12 file, then import the PKCS#12 file to the M or M software. Because the friendly name is not part of the certificate itself, you don't need to create a new certificate when setting or changing the friendly name. It is something you can (and should) do with the completed certificate while NOT even having (nor letting the programs have) access to the private key. On 12/2/2011 9:01 AM, Hopkins, Nathan wrote: > > A friendly name is a field of a certificate - typically if you check > for example IE - you'll see a column entitled friendly name and most > certificates have these. > > I believe the method I'm using below creates a certificate only - if I > understand correctly PKCS12 is a type of certificate container so I am > not sure if I need this? > > That said I have seen postings with a PKCS12 export and a -name option > but was hoping there was similar option to add to the steps I'm doing > below? > > > > ----- Original Message ----- > From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org> > To: openssl-users@openssl.org <openssl-users@openssl.org> > Sent: Fri Dec 02 00:23:10 2011 > Subject: Re: Friendly name > > On Thu, Dec 01, 2011, Hopkins, Nathan wrote: > > > I'm using the below commands to create a ca ... > > > > > > > > openssl genrsa -des3 -out ca.key 2048 > > > > openssl req -new -x509 -key ca.key -out ca.crt -days 730 > > > > ... please can you advise how I can add a "friendly name" to this cert? > > > > What do you mean by "friendly name": i.e. why do you want to add one > and what > do you expect it to do? > > There is a PKCS#12 attribute called friendlyName but adding this to a > certificate is non-standard. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
