The only thing you must do is export the *certificate* (which contains the CA public key, which must be public). You do not, under any circumstances, want to export the CA private key... and if you do, you NEVER EVER EVER NO MATTER WHAT CIRCUMSTANCES YOU MIGHT THINK WARRANT IT export the CA private key and give it to someone else. (Keeping the key in an unencrypted PKCS#12 container must be treated precisely the same as if you'd given it to someone else, and the repercussions are severe: you must revoke the CA certificate, remove it as a trust anchor from all devices and clients which have had it provisioned, create a new keypair, create a new CA certificate, and distribute/reprovision the new one to all devices and clients that need to rely on it.)
A PKCS#12 (or PFX) file contains both. The .cer or .crt file contains only the certificate (which contains its public key). The .crt is the only one you want to distribute. -Kyle H On Mon, Feb 15, 2010 at 12:42 PM, Ashok Kumar <ashok.ku...@csueastbay.edu> wrote: > Hi, > > I saw the following question on openssl support site > (http://www.openssl.org/support/faq.html) and which says > > openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem > > DO NOT DO THIS! This command will give away your CAs private key and > reduces its security to zero: allowing anyone to forge certificates in > whatever name they choose. > > 12. How do I install a CA certificate into a browser? > > The usual way is to send the DER encoded certificate to the browser as > MIME type application/x-x509-ca-cert, for example by clicking on an > appropriate link. On MSIE certain extensions such as .der or .cacert > may also work, or you can import the certificate using the certificate > import wizard. > > You can convert a certificate to DER form using the command: > > openssl x509 -in ca.pem -outform DER -out ca.der > > Occasionally someone suggests using a command such as: > > openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem > > DO NOT DO THIS! This command will give away your CAs private key and > reduces its security to zero: allowing anyone to forge certificates in > whatever name they choose. > > ===================================== > > May I know why openssl command behaves so? > > What's the alternative to import cert and key in any application using > openssl or any other tool? > > Appreciate your help. > > Thanks > -Ashok > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
