On Mon, Apr 27, 2009, rjustinwilli...@gmail.com wrote: > Hi All > This may have been covered previously, and if so, please point me to that, > but, here's where I'm running into a wall. > My goal is to be able to use a client certificate, without having to type > in a password every time I visit my site. Currently, I'm just in a test > lab, so, nothing production (or even public) that I can show anybody. > I have created a self-signed ca root cert, and then used that to create a > client cert. > I have exported my client key/cert into a .p12 file > I have imported my ca.crt and .p12 files into IE successfully. > When I import the .p12 cert, I cannot seem to *not* assign it a password; I > also cannot seem to change the security settings on it. > > End result, IE seems to be forcing me to type in a password to access the > cert that I have imported. > > I have created the key/cert with password, and exported to .p12 > I have tried re-creating the key/cert with no passwords, and exporting that > to .p12 > I have tried the above, and exported to .p12 with no export password. > > In all cases, IE's import wizard will not let me import the .p12 without > setting an access password, and will not let me visit the test site without > giving said access password. > > My goal is to be able to give out a client cert to allow specific people to > visit, without their having to enter a password, and this seems to be > breaking... > > Anybody have similar experiences?? >
There are two different issues here. One is the importation of the key/cert. The second is *use* of the key/cert. When you create a PKCS#12 file it is encrypted using a password. You need that password to import the key and store it in IE's internal stores. It is advisable to always use a password because otherwise anyone who gains access to the file can use the key. Once the key/cert is imported the PKCS#12 file is not used again: the internal stored version is used instead. If you don't have the box "enable strong private key protection" set in the import wizard the key can be silently used from then on. This is the "low security" setting. If you have the box clicked you can select medium (notification but no password required) and high (password required). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
