Dave Botsch wrote:
>
> Hi there.
Hi,
> Looking at the makefile in the Openca/chain dir, it looks like the
> chained CA cert that is created is just left there?
In the chain directory you have to put all the certs of your up level
CAs, then using the update chain command some links are built.
> So, if I want to sign certificates with my chained CA certificate
With your CA's certificate...
> so that web browsers and email clients can automatically verify them,
They have to import the full chain in order to verify your certificates,
you have to provide them or at least links to them at your website.
> I would need to copy the *.crt file over one (or all) of the cacert.pem
> files? And, would I also need to convert this to a .der format and
> copy it over the cacert.der file(s)?
No, you must not do it! Simply copy the certificates to some publicly
available directory and link them from some pages (I suggest from the
request one and/or the main certification services one).
It could be possible to chain all the cacerts into one single pkcs7
structure, but you need to use some tool (openssl is capable of doing
this, AFAIK). We probably will need to write something about this
to support IE...
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
S/MIME Cryptographic Signature
