Hi, Jason!

Am 2002-11-18 23:19 Uhr schrieb "Jason Haar" unter
<[EMAIL PROTECTED]>:

...
> Wow - OK I didn't have authorityInfoAccess, and I didn't use "-keysig". Does
> that disable funtionality of the cert in any way? I want to generate server
> certs that can be used by Apache/IIS and EAP-TLS, and client certs that
> allow users to do S/MIME, and EAP-TLS - does the "-keysig" break any of that?

MS-Backgrounds:
When using the MS-Crypto API (which I never did,just googled it), you need
to set xenroll.KeySpec either as AT_SIGNATURE or AT_KEYEXCHANGE. In our
case, when I created a CA-cert for a certificate server, I needed
AT_SIGNATURE.
xenroll.KeySpec affects the keystorage and specifies key usage. It does not
change anything in the certificate itself. Therefore it can be set only in
pkcs12, when using openssl.

In your case, creating a server certificate (and using the keys for this
type of activity), I would suppose that you would need the option "-keyex"
instead of "-keysig". (... just had a look to my old e-mails and project
notes concerning this stuff, hope I got it right.)

Best regards,
Michael

P.S.: There is some rudimentary information concerning this in the man of
pkcs12.

-- 
************************************************************************
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43 (664)302 4511,  fax +43 (1)328 1992 14
[EMAIL PROTECTED], [EMAIL PROTECTED]
************************************************************************

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to