Hi, I saw the following question on openssl support site (http://www.openssl.org/support/faq.html) and which says
openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem DO NOT DO THIS! This command will give away your CAs private key and reduces its security to zero: allowing anyone to forge certificates in whatever name they choose. 12. How do I install a CA certificate into a browser? The usual way is to send the DER encoded certificate to the browser as MIME type application/x-x509-ca-cert, for example by clicking on an appropriate link. On MSIE certain extensions such as .der or .cacert may also work, or you can import the certificate using the certificate import wizard. You can convert a certificate to DER form using the command: openssl x509 -in ca.pem -outform DER -out ca.der Occasionally someone suggests using a command such as: openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem DO NOT DO THIS! This command will give away your CAs private key and reduces its security to zero: allowing anyone to forge certificates in whatever name they choose. ===================================== May I know why openssl command behaves so? What's the alternative to import cert and key in any application using openssl or any other tool? Appreciate your help. Thanks -Ashok ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
