Hi Olaf et Al.
Use this command line with your settings.
It should work since in my LX box it works with Netscape/OutLook!
openssl pkcs12 -export -inkey hostKey.pem \
-in hostCert.pem -name "soggy" \
-certfile caCert.pem -caname "Root CA" \
-out hostCert.p12
Then import your personal cert in Netscape/Outlook.
After that your and Root-Cert will be in.
Please give me a feed-back.
Enjoy!
Olaf Zaplinski wrote:
>
> Hi all,
>
> this is what I did:
>
> # openssl genrsa -des3 -out ca.key
> # openssl req -key ca.key -nodes -new -out ca.req
> # openssl x509 -days 1000 -in ca.req -req -signkey ca.key -out ca.pem
>
> moved ca.pem to demoCA/cacert.pem and ca.key to demoCA/private/cakey.pem
>
> Then:
>
> # openssl ca -cert demoCA/cacert.pem -ss_cert demoCA/cacert.pem -out ca.pem
> Using configuration from /usr/local/ssl/openssl.cnf
> Enter PEM pass phrase:
> Check that the request matches the signature
> Signature ok
> The Subjects Distinguished Name is as follows
> countryName :PRINTABLE:'DE'
> stateOrProvinceName :PRINTABLE:'Hamburg'
> localityName :PRINTABLE:'Hamburg'
> organizationName :PRINTABLE:'zaplinski.de certificate services'
> commonName :PRINTABLE:'zaplinski.de root CA'
> emailAddress :IA5STRING:'[EMAIL PROTECTED]'
> Certificate is to be certified until Aug 27 21:18:49 2002 GMT (365 days)
> Sign the certificate? [y/n]:y
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
>
> # mv ca.pem demoCA/cacert.pem
>
> So I now have my self signed CA.
>
> But how can I import that in IE and NS? I could not find any information on
> the web. 'openssl pkcs7 -i demoCA/cacert.pem -outform DER -out ca.p7b' did
> not work, and AFAIK MS IE5 only eats pkcs7 files. But, even if I show it
> pkcs7, it continues to say the file format isn't recognized.
>
> I even had an own little CA and a CA signed cert for SSL'ed POP3 and SMTP,
> but after importing that cert to Netscape it did not know anything about my
> CA. MS IE5 refused to import that. So I deleted everything and started all
> over.
>
> Is there any HOWTO/FAQ how to
>
> - build an own CA
> - import that CA into Netscape/IE
> - build a server cert signed by that CA *not* to be used by apache but
> mailer apps
> - also import that into Netscape/IE?
>
> I could not find any information on the web.
>
> Any hints welcome!
>
> Olaf
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
# .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .... .-
# Averroes A. Aysha
# Think Linux, Think Slackware!
# Network Security Auditor (NSA)
# e-fingerprint = 73B7 2559 2968 5094 3B95 5C70 4E85 5F94 6068 1DD8
# http://www.keyserver.net/en/
# .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .... .-
S/MIME Cryptographic Signature
