RE: Certificate chaining

Tue, 26 Oct 2010 20:30:49 -0700 

>       From: owner-openssl-us...@openssl.org On Behalf Of Suresh
>       Sent: Tuesday, 26 October, 2010 10:41
        
>       Probably I was not clear in my question.
        
>       When I have several certificates like server cert + key,
intermediate 
> and root and want all them to bundle in a single file say, PKCS#12.

>       Is there a specific sequence to bundle them? <snip examples>

Not that I know of, but I rarely use nontrivial chains.
It might depend on what software will (later) use them.

>       Please throw some light here. Thanks.

>       On Thu, Oct 21, 2010 at 11:11 PM, Suresh <suresh.chi...@gmail.com>
wrote:
        
>               > There is a standard ASN.1 structure, PKCS#7 aka
Cryptographic
>               > Message Syntax or CMS, which can carry multiple certs
and/or CRLs
>               > in DER (or PEM-ified single DER, as opposed to PEM
concatenation)
>               > and is fairly commonly used for that purpose.
                
>               This makes me understand PKCS#7 or PKCS#12 can take several
>               certificates and key in PEM format into a single file. When
packaging
>               server, intermediate and key into a single file is there a
sequence to
>               do that ?
                
I'm not sure if you're asking about the formats or openssl.

7 can't carry (private) keys as such; it can do certs and/or CRLs 
and/or arbitrary data. (Its design purpose was to carry signed and/or 
encrypted data, with certs and CRLs as an add-on, but they have become 
a tail that sometimes wags the dog.) You could write programs that put 
private key(s) as encrypted data, but nothing else will expect this.

12 can carry (private) keys and certs (but AFAIK not CRLs).

openssl pkcs7 doesn't support building, although you could write 
a program that does. It can read either DER or PEM, and convert to 
the other, and extract certs into PEM (which another command, 
openssl x509, can then convert to DER).

openssl pkcs12 can build DER from local PEM files (which can have been 
converted from DER by other openssl commands), or extract DER into local 
PEM files (which can be converted to DER by other openssl commands).

If your goal is to transport a key with the certs needed for it, 
for example from server-primary to server-backup, or central-keygen 
to entity, etc., use 12. That's exactly what it was designed for.
If you're doing something else, there may be other answers.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to