On Mon, Aug 18, 2003, Sevcik Berndt wrote: > I am using the following script to create my certificate. > openssl req -new -keyout newreq.pem -out newreq.pem -passin > pass:1whatever -passout pass:whatever -days 365 > openssl ca -policy policy_anything -out newcert.pem -passin > pass:whatever -key whatever -extensions xpclient_ext -extfile > xpextensions -infiles newreq.pem > openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 > -clcerts -passin pass:whatever -passout pass:whatever > openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der > rm -rf newcert newreq.pem > > When I execute this command I am asked for an challenge password. But I > provided at the commands themselv a -passin pass and -passout pass. Is > this the same or are this different passwords? It seems to me that the > challenge password I am asked to enter during creation is not used for > the certificate. >
Its just an attribute that's included in the request. Some CAs might make use of it for example as some means of revoking a certificate later. OpenSSLs internal 'ca' command ignores it as does 'x509'. > And a second question: > When I import the .p12 file into Windows I am asked for a password I am > asked for a Secret. Is this the challenge password? > No it's whatever password you used when you created the PKCS#12 file (the "export password"). Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
