Hi,
Your process is correct. But the output certificate is in DER
format. Thatswhy u r unable to see BEGIN CERTIFICATE tags...
The mime type is also correct..
How u r downloading to netscape browser?
Ravi Prakash B.V.
On Thu, 18 Oct 2001, Christopher L. Everett wrote:
> Hello:
>
> I'm trying to use the "openssl ca" command inside a mod_perl
> handler (I borrowed Perl code from http://www.pseudonym.org/ssl/)
> to sign netscape spkacs, and I'm running into a very funky
> problem.
>
> The docs say that the signed cert wil come out in PEM form.
> As I understand it, PEM certs look like
>
> -BEGIN CERTIFICATE-
>
> -END CERTIFICATE-
>
> and what I get coming out is soemthing very different. When
> I try to download it to a netscape browser using a mime type
> of 'application/x-x509-user-cert', Netscape won't load it.
>
> My environment is
>
> Debian Potato dist with Linux kernel 2.4.9
> openssl 0.9.6b
>
> The command I use is
>
> /usr/local/bin/openssl ca -batch \
> -config /var/ssl/PhysempCA/request.cnf \
> -out /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.pem \
> -spkac /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.spkac
>
> The output to STDOUT is :
>
> Using configuration from /var/ssl/PhysempCA/request.cnf
> Check that the SPKAC request matches the signature
> Signature ok
> The Subjects Distinguished Name is as follows
> countryName :PRINTABLE:'US' localityName :PRINTABLE:'Mexico'
> organizationName :PRINTABLE:'Audrain Medical Center'
> commonName :PRINTABLE:'Michele Trammell'
> emailAddress :IA5STRING:'[EMAIL PROTECTED]'
> Certificate is to be certified until Oct 17 18:47:20 2002 GMT (366 days)
>
> Write out database with 1 new entries
> Data Base Updated
>
> Here is the SPKAC (inserted newlines for readability):
>
> SPKAC=MIIBOjCBpDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwpvydCd+jgvlAkbVa
> TI+OAhaTLunUKN0ov5pvSm+TS0RxvbqhO2olCTp7dV9urim10EE2dUe/JuTo9tlUblgjVO5
> m2ZAA35fKYXyEQhFQdkAvErXS2GMF0PxHUUAXEMGHuureCjSw8xzR4RaytmEPS0HFslbIHM
> FC8fdBnNN/8kCAwEAARYAMA0GCSqGSIb3DQEBBAUAA4GBADIDIjM2gVP0Go/OhpnYA6XgNE
> HMkXX//YX01VrY+vu9oaBxohSSMfismi9nUoPZ00EYh4uQa08jf+tUCrAYvGmGED1e5Y4/F
> WQ3SsHzfMqxkaNilln2xEKYlFWrB984/u/fkLpCqjanqxokINbgUAcpDzIlDgdhs35Z2/RM
> X47D
> C=US
> SP=Missouri
> L=Mexico
> O=Audrain Medical Center
> CN=Michele Trammell
> [EMAIL PROTECTED]
>
> And here is my config file:
>
> [ ca ]
>
> default_ca = PhysempCA # The default ca section
>
> [ PhysempCA ]
>
> dir = /var/ssl/PhysempCA
> certs = /var/ssl/PhysempCA/certs
> crl_dir = /var/ssl/PhysempCA/crl
> database= /var/ssl/PhysempCA/index.txt
> new_certs_dir = /var/ssl/PhysempCA/newcerts
> certificate = /var/ssl/PhysempCA/cacert.pem
> serial = /var/ssl/PhysempCA/serial
> crl = /var/ssl/PhysempCA/crl.pem
> private_key = /var/ssl/PhysempCA/private/cakey.pem.decoded
> RANDFILE= /var/ssl/PhysempCA/private/.rand
> x509_extensions = usr_cert
> default_days= 366
> default_md = md5
> preserve= no
> policy = policy_anything
>
> [ policy_anything ]
>
> countryName= optional
> stateOrProvinceName= optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = optional
> emailAddress = optional
>
> [ req ]
>
> default_bits = 1024
> default_keyfile= privkey.pem
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> prompt = no
> string_mask= nombstr
> req_extensions = v3_req
>
> [ req_distinguished_name ]
>
> countryName_default = US
> stateOrProvinceName_default = Missouri
> localityName_default= Mexico
> organizationName_default= Audrain Medical Center
> commonName_default = Michele Trammell
> emailAddress_default= [EMAIL PROTECTED]
>
> [ req_attributes ]
>
> challengePassword =
> unstructuredName = Michele Trammell
>
> [ usr_cert ]
>
> basicConstraints = CA:FALSE
> nsCertType = client, email
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> nsComment = "OpenSSL Generated Certificate Issued by Physician's
> Employment CA"
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid,issuer:always
> subjectAltName = email:copy
> issuerAltName = issuer:copy
>
> [ v3_req ]
>
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
>
> If any one needs to see the resulting cert, I'd be more than
> happy to email it as an attachment.
>
>
>
> --Christopher
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTE