Tim,
Comments below.
Tim Pushor wrote:
>
> Hello,
>
> The subject says it all. I am using a combination of SSLeay 0.9.0, ca-fix,
> and pkcs12 4.1 to attempt to generate a cert chain that will import into
> MSIE 4.01 (US). I am obviously doing something wrong. This is what I am
> doing:
>
> ca-fix -in newcert.pem -out testcert.pem -nscertype 0x20 -inkey
A bit naughty that. I'd suggest you edit the nsCertType line in
ssleay.cnf. Otherwise the certificates used differ from those in the CA
directory. Also I'd suggest 0xa0 for SSL client and S/MIME.
> pkcs12 -chain -export -name "My Certificate" -in newcert.pem -inkey
> newreq.pem -out test.p12
>
> This creates a pkcs12 object that works fine from communicator but not from
> MSIE. I get that great old error message "Failed to import certificate".
>
Several possibilities. If you are using a 1024 bit key and haven't
applied the domestic security patch and the manual registry fix in the
FAQ. Otherwise I've known MSIE dislike the CA on occasions: try it
without the -chain option.
You may need to manually import the CA certificate into MSIE with:
x509 -in cacert.pem -outform DER -out cacert.der
transfer to the PC and double click on the file. MSIE should let you
install the CA certificate and trust it. I'll add this to the FAQ in the
next version. Alternatively you can link to the cacert.der file with a
web page that returns MIME type application/x-x509-ca-cert.
> Do I need to worry about the -MSIE-hack options to ca?
Nope thats for something different.
>
> On another vein, if I want to be able to sign objects (Java applets in
> particular) do I need to enable object signing on the ca AND on the cert? I
> haven't played with this yet, but want to make sure my CA is ok for that as
> well before deploying it to our organization.
>
Well the Netscape documentation suggests you need both so I'd stick with
that. Netscape Communicator itself seems to only want the user
certificate being set but that could change.
On the subject of "deploying" the certificates. You should be aware of
the fact that the PKCS#12 method is not advisable for generating
certificates for other users: because you end up knowing their private
keys. A better method is the server enrollment method where you can
still install certificates but the users never disclose their private
keys.
Steve.
--
Dr Stephen N. Henson.
UK based freelance Cryptographic Consultant. For info see homepage.
Homepage: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED]
PGP key: via homepage.
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
