Hello ! We create a certificate request in the Internet Explorer via the ActiveX-control (certenr3.dll, as discribed in http://www.ultranet.com/~fhirsch/Papers/cook/ssl_msclient_certs.html) and transmit the certificate request to the server where it is stored as a CSR-file (11.csr). The following commands generate and sign the certificate from the request. The resulting certificate will be stored in a CRT-file (11.crt). The resulting DER-file (11.der) cannot imported as a personal certificate in the Internet Explorer. Does anyone know why? Best regards, Stefan Westner ------------------------------------------------------------ openssl x509 -extfile /OpenSSL/certs/client/config.cnf -req -in /NewCert/11.csr -out /OpenSSL/certs/NewCert/11.crt -CA /OpenSSL/certs/ca/ca.crt -CAkey /OpenSSL/certs/ca/ca.key -CAcreateserial -days 365 openssl x509 -in /OpenSSL/certs/NewCert/11.crt -outform DER -out /NewCert/11.der ------------------------------------------------------------ # OpenSSL config file HOME = . RANDFILE = P:/OpenSSL/certs/system/.rnd extensions = 509v3 prompt = no [ ca ] default_ca = CA_default [ CA_default ] database = P:/OpenSSL/certs/temp/index.txt new_certs_dir = P:/OpenSSL/certs/temp certificate = P:/OpenSSL/certs/ca/ca.crt serial = P:/OpenSSL/certs/ca/.srl private_key = P:/OpenSSL/certs/ca/ca.key RANDFILE = P:/OpenSSL/certs/system/.rnd default_days = 365 default_crl_days = 30 default_md = md5 policy = policy_any [ policy_any ] countryName = supplied stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ v3_ca ] basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ 509v3 ] basicConstraints = critical,CA:false #subjectKeyIdentifier = hash #authorityKeyIdentifier = keyid:always,issuer:always keyUsage = keyEncipherment, dataEncipherment, keyAgreement, digitalSignature #Extended Key Usage = TLS Web Client Authentication subjectAltName = email:copy issuerAltName = issuer:copy #nsBaseUrl = https://www.company.de/ #nsRevocationUrl = scripts/CertServer.dll?action=certrevocation&SN= #nsCaRevocationUrl = scripts/CertServer.dll?action=certcarevocation&SN= #nsRenewalUrl = scripts/CertServer.dll?action=certrenewal&SN= #nsCaPolicyUrl = ca/guidelines/index.html nsComment = "Client-Certificate" nsCertType = client, email #nsSslServerName = ------------------------------------------------------------ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
