Hi, Jason!
Am 2002-11-18 23:19 Uhr schrieb "Jason Haar" unter <[EMAIL PROTECTED]>: ... > Wow - OK I didn't have authorityInfoAccess, and I didn't use "-keysig". Does > that disable funtionality of the cert in any way? I want to generate server > certs that can be used by Apache/IIS and EAP-TLS, and client certs that > allow users to do S/MIME, and EAP-TLS - does the "-keysig" break any of that? MS-Backgrounds: When using the MS-Crypto API (which I never did,just googled it), you need to set xenroll.KeySpec either as AT_SIGNATURE or AT_KEYEXCHANGE. In our case, when I created a CA-cert for a certificate server, I needed AT_SIGNATURE. xenroll.KeySpec affects the keystorage and specifies key usage. It does not change anything in the certificate itself. Therefore it can be set only in pkcs12, when using openssl. In your case, creating a server certificate (and using the keys for this type of activity), I would suppose that you would need the option "-keyex" instead of "-keysig". (... just had a look to my old e-mails and project notes concerning this stuff, hope I got it right.) Best regards, Michael P.S.: There is some rudimentary information concerning this in the man of pkcs12. -- ************************************************************************ Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] ************************************************************************ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]