Re: help! problem with certificate!!

Sat, 12 Aug 2000 05:04:23 -0700 

From: [EMAIL PROTECTED]

[This really belongs in openssl-users for now]

huangchenc>    the atachments is the certificate i imported into netscape,
huangchenc>    ice.p12 --- generated by openssl,(private passwd:
huangchenc>                hhhhhh) and signText() can't work
huangchenc>    zeyi.p12--- generated by thawte.com, (private passwd:
huangchenc>                fish123) signText () can sign successfully.

Both files have the key algorithms RSAencryption which OpenSSL doesn't
want to deal with (with good reason, it's an old deprecated algorithm),
so how openssl could create ice.p12 is beyond me.  Otherwise, a quick
look (using 'openssl pkcs12 -info -in ice.p12 -nokeys' for example)
shows a difference in order of the bags.  In ice.p12, the certificate
chain is ordered leaf to root followed by the private key, while ni
zeyi.p12 the order is reversed (actually, almost, the order is private
key followed by intermediary CA cert, followed by root cert, followed
by the leaf (your cert)).  If this difference in order is of any
importance for netscape I've no idea.  Steve might be able to tell us
more about that.

Another possibility is the MAC iteration count which is 1 in zeyi.p12
and 2048 in ice.p12.  From reading the PKCS12 document, 1 is the
default (and kept around for historical reasons) but deprecated while
2048 is more of a recommended value.  Could it be that netscape has
sloppy programming for this and only understands the default?  I
certainly hope not.

This is, of course, purely guessing.  I don't know enough about pkcs12
or netscape to asy anything authoritative.

OBTW, what version of netscape are we talking about?

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to