On Wed, Oct 09, 2013, Graham Leggett wrote:
> Hi all,
>
> I have a cert, a CA cert, and N intermediate certificates, each in three separate files. I don't know the value of N during this process.
>
> What I need to do is combine these certs into a P12 file, but crucially I need to give the cert and the CA cert very specific nicknames for further scripting to work. The "-name" option is working fine, it gives the nickname to the cert as expected, I am struggling however with the "-caname" option - instead of applying the nickname to the CA certificate, it applies the nickname to the first intermediate cert instead.
>
> /usr/bin/openssl pkcs12 -export -in machine.cert -CAfile ca.pem -certfile machine.chain -inkey machine.key -out machine.p12 -name "Server-Cert" -passout env:PASS -chain -caname "CA-Cert"
>
> As an alternative I tried piping the certs to openssl, but this time openssl seems to be ignoring the additional certs and throws an error:
>
> cat machine.cert ca.pem machine.chain | /usr/bin/openssl pkcs12 -export -inkey machine.key -out machine.p12 -name "Server-Cert" -passout env:PASS -chain -caname "CA-Cert"
> Error unable to get local issuer certificate getting chain.
>
> Can this be done with openssl?
>
The -caname option works in the order which certificates are added to the
PKCS#12 file and can appear more than once. So if you have an intermediate
certificate followed by a root CA you need two -caname options.
There is a separate way to do this by adding an alias to the certificate PEM
files itself and not using -caname at all.
You can do that with:
openssl x509 -in ca.pem -setalias "whatever" -out ca-new.pem
Then whenever you add 'ca-new.pem' in the pkcs12 command it should use that
value, unless it is overridden by a -caname option.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see:
http://www.openssl.org