Found out my problem. After generating the key with key manager (and the request), signing it with openssl, I was not able to install the certifcate.
I hope it will help you too... openssl ca -config openssl.cnf -cert ssl.crt/CA.crt -in ssl.csr/IIS.csr -keyfile ssl.key/CA.key \ -days 360 -out ssl.crt/IIS.crt After this command you have a IIS.crt or signed certificate. The file contains some text and at the end a -CERTIFICATE- Section. Key Manager does not like this text part. just do openssl x509 -in IIS.crt -out IISx509.crt Which basically remove all the text to keep only the -CERTIFICATE- Section I was able then to install this certificate. Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Web site: http://www.sopac.org/ <http://www.sopac.org/> Support FMaps: http://fmaps.sourceforge.net/ <http://fmaps.sourceforge.net/> This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -----Original Message----- From: Nicolas Ostermann [mailto:[EMAIL PROTECTED]] Sent: Friday, 2 November 2001 11:26 To: [EMAIL PROTECTED] Subject: Failed to export a server certificate in IIS 5.0 Hello all, I am running apache-1.3.19-5 with mod_ssl-2.8.1-5 and openssl-0.9.6-9 on RedHat7.1. Everything is working perfectly within the Linux world except when I try to export key + certificate into IIS 5.0 (not my choice!). I use "import a certificate from a key manager backup file", then I select my IISNET.key file. It does NOT recognize the password I set up earlier to protect the key file. Following is what I did in my Linux server: - For my self signed CA certificate: openssl genrsa -des3 -out ssl.key/CA.key 1024 openssl req -new -x509 -days 365 -key ssl.key/CA.key -out ssl.crt/CA.crt openssl pkcs12 -export -in ssl.crt/CA.crt -inkey ssl.key/CA.key -out pkcs12/CA.p12 (pkcs12 command to have the ca certificate in pkcs12 format and be able to import it into browsers) - For my IIS server certificate: openssl genrsa -des3 -out ssl.key/IIS.key 1024 openssl req -new -key ssl.key/IIS.key -out ssl.csr/IIS.csr openssl ca -config openssl.cnf -cert ssl.crt/CA.crt -in ssl.csr/IIS.csr -keyfile ssl.key/CA.key \ -days 360 -out ssl.crt/IIS.crt openssl rsa -in ssl.key/IIS.key -outform NET -out ssl.key/IISNET.key (rsa is supposed to change the format of the server private key file to be able to import it into IIS) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
