On Wed, Oct 09, 2013, Graham Leggett wrote: > Hi all, > > I have a cert, a CA cert, and N intermediate certificates, each in three > separate files. I don't know the value of N during this process. > > What I need to do is combine these certs into a P12 file, but crucially I > need to give the cert and the CA cert very specific nicknames for further > scripting to work. The "-name" option is working fine, it gives the nickname > to the cert as expected, I am struggling however with the "-caname" option - > instead of applying the nickname to the CA certificate, it applies the > nickname to the first intermediate cert instead. > > /usr/bin/openssl pkcs12 -export -in machine.cert -CAfile ca.pem -certfile > machine.chain -inkey machine.key -out machine.p12 -name "Server-Cert" > -passout env:PASS -chain -caname "CA-Cert" > > As an alternative I tried piping the certs to openssl, but this time openssl > seems to be ignoring the additional certs and throws an error: > > cat machine.cert ca.pem machine.chain | /usr/bin/openssl pkcs12 -export > -inkey machine.key -out machine.p12 -name "Server-Cert" -passout env:PASS > -chain -caname "CA-Cert" > Error unable to get local issuer certificate getting chain. > > Can this be done with openssl? >
The -caname option works in the order which certificates are added to the PKCS#12 file and can appear more than once. So if you have an intermediate certificate followed by a root CA you need two -caname options. There is a separate way to do this by adding an alias to the certificate PEM files itself and not using -caname at all. You can do that with: openssl x509 -in ca.pem -setalias "whatever" -out ca-new.pem Then whenever you add 'ca-new.pem' in the pkcs12 command it should use that value, unless it is overridden by a -caname option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
