Hopefully you are sorted by now but, if not, perhaps the following will help.
I am assuming you want to set up a secure web application where you issue "user" certificates to allow people to access your Web site over SSL. If this is the case then you need to create a little CA which you can then use to create both the required Web server SSL cert and the certs for your users. I think you mentioned somewhere that the Web server cert would be used to sign the user certs, this is not correct, it's a CA that signs certs and its the CA cert that provdes a common point of trust. You are quite right in thinking that OpenSSL will do what you need. You can use it to create a mini CA (which will require generation of RSA keys) and then you can use it to generate the keys and certificates used within the user and SSL (user certs and the SSL cert he Web server uses). OpenSSL tends to use PEM format which is really a method of encoding data rather than a specific thing or object. Once you have used OpenSSL to generate the necessary certificates (which will be stored in the PEM format) you can use OpenSSL again to convert them to P12 or PFX (both the same really) and these can be read straight into the vast majority of browsers that support certs. The OpenSSL can be a bit confusing so you might want to look at: http://www.openssl.org/docs/apps/CA.pl.html which is supposedly an easy front end to OpenSSL and there are instructions on the steps I have outlined above. In google search for things like "setting up an OpenSSL CA". There are quite afew useful pages I think. If you are feeling really brave you could go the whole hog and setup a full CA using something like OpenCA but I would only recommend this if you need to issue and manage reasonably large numbers. You do get the Web interfaces that enable the browser key generation process for free so perhaps worth thinking about if that's important. Hope this helps a bit, Mark. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of nospam > Sent: 12 September 2005 03:57 > To: [email protected] > Subject: using openssl to create pkcs12 to import to mozilla? > > > I'm using linux, and failing to create key pairs for mozilla. The > problem is that I have yet to figure out the right way to use the > openssl tools for creating a key pair in the pkcs12 that mozilla will > import. I need to create a key pair, and send a public key to be signed > by a private web site in order to access the site. Do I start with the > creation of an rsa key pair like I would with apache, and then create a > request to sign from that? Or do I somehow convert it to pkcs12 after > the rsa pair? Or do I start directly with a pkcs12 and send the public > key to be signed? Every variation I've tried from the man pages and docs > I end up with a 0-byte file. Is it even possible for an individual to > use openssl to create a personal key pair that mozilla can import? > _______________________________________________ > mozilla-crypto mailing list > [email protected] > http://mail.mozilla.org/listinfo/mozilla-crypto _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
