[FWD] Intermediate certificate chain not included when exporting as pkcs12
Lutz Jaenicke
Best regards,
Lutz
----- Forwarded message from Alexander Mills <alexand...@psycle.com> -----
From: Alexander Mills <alexand...@psycle.com>
To: r...@openssl.org
Subject: Intermediate certificate chain not included when exporting as pkcs12
Date: Thu, 17 Feb 2011 09:15:37 +0000
Recently I was tasked with using a .crt and .key used in Apache for
use with Apache Tomcat. I searched around and the solution was to use
the following command, where the p7b file is the intermediate
certificate provided by Thawte.
openssl pkcs12 -export -in myCert.crt -inkey myKey.key -out
mypkcs12.p12 -name tomcat -CAfile ssl_pkcs7.p7b -caname root -chain
For some reason, which I am yet to fathom, the above command will not
export the intermediate chain, and thus the certificate becomes
untrustworthy.
The only solution I have been able to find is to use Internet Explorer.
I've written the instructions for IE below, but I'm perplexed as to
why openssl isn't behaving as I thought it would have (and clearly
others feel this way).
Open IE
Click Tools
Click Internet Options
Click Content
Click Certificates
Import the p12 file into the Personal Store
Go to the Truster Root Certification Authorities tab
Delete “Thawte Primary Root CA” issued by “Thawte Primary Root CA”
Import the intermediate file from the following link into the
Intermediate Certification tab: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR1373
Right click 'Download the PKCS#7 CA' and save the file and import that
file into the Intermediate Certification AUthorities tab
Then go back to the Personal Store tab
Double click the certificate
Click the certification path tab
There should be 4 certificates in the certificate hierarchy at this
stage
Highlight the certificate in the Personal Store
Click on Export
Click 'Yes, export private key'
Click Next
Put a tick in the first checkbox only, not the other two
Finish the wizard
Rename the PFX file you create to have a p12 extension
Use the new .p12 file in Tomcat
----- End forwarded message -----
--
Lutz Jaenicke jaen...@openssl.org
OpenSSL Project http://www.openssl.org/~jaenicke/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Martin Boßlet
- encode the key and any certificate you'd like to export to the .p12 as PEM
- Paste the PEM key and all the PEM certificates into one single file
(let's assume all.pem)
- then issue the following command:
openssl pkcs12 -export -in all.pem -out mypkcs12.p12 -name tomcat
Regards,
Martin
2011/2/17 Lutz Jaenicke <jaen...@openssl.org>:
Eisenacher, Patrick
> -----Original Message-----
> From: Lutz Jaenicke
>
> Forwarded to openssl-users for discussion.
>
> Best regards,
> Lutz
> ----- Forwarded message from Alexander Mills -----
>
> From: Alexander Mills
>
> Recently I was tasked with using a .crt and .key used in Apache for
> use with Apache Tomcat. I searched around and the solution was to use
> the following command, where the p7b file is the intermediate
> certificate provided by Thawte.
>
> openssl pkcs12 -export -in myCert.crt -inkey myKey.key -out
> mypkcs12.p12 -name tomcat -CAfile ssl_pkcs7.p7b -caname root -chain
>
> For some reason, which I am yet to fathom, the above command will not
> export the intermediate chain, and thus the certificate becomes
> untrustworthy.
The following command works for me:
$openssl pkcs12 -export -in cert.pem -inkey key.pem -name mylabel -chain -CAfile ca_path.pem -out archive.p12 -passout pass:mypassphrase
ca_path.pem contains the concatenated CA certificates of cert.pem's certificate chain, encoded in PEM-format.
So obviously what you pass in via -CAfile has the wrong format. Also make sure that all CA certificates of your chain are included in that file.
HTH,
Patrick Eisenacher