sci.crypt archive
Re: how to package openssl certificate - was Re: Mail: encrypt/sign
Date: Wed Mar 29 2006 - 16:14:35 CEST
In article <marc.heusser-FA2FFE.14323629032006@idnews.unizh.ch>,
Marc Heusser <marc.heusser@CHEERSheusser.comMERCIALSPAMMERS.invalid>
wrote:
> In article <tomstiller-4A17AC.07254124032006@comcast.dca.giganews.com>,
> Tom Stiller <tomstiller@comcast.net> wrote:
>
> > In article <marc.heusser-4D53EE.12391924032006@idnews.unizh.ch>,
> > Marc Heusser <marc.heusser@CHEERSheusser.comMERCIALSPAMMERS.invalid>
> > wrote:
> >
> > > In article <tomstiller-7C7FE9.21205523032006@comcast.dca.giganews.com>,
> > > Tom Stiller <tomstiller@comcast.net> wrote:
> > >
> > > > In article <marc.heusser-820B1A.01013824032006@idnews.unizh.ch>,
> > > > Marc Heusser <marc.heusser@CHEERSheusser.comMERCIALSPAMMERS.invalid>
> > > > wrote:
> > > >
> > > > > I want to use Mail to send signed/encrypted mail with X.509
> > > > > certificates,
> > > > > using Mac OS X 10.4.5/Mail 2.0.7 (fully updated with Software
> > > > > update).
> > > > >
> > > > > Unfortunately I do not get the encrypt/sign checkboxes at all.
> > > > >
> > > > > I do have X.509 certificates for both sender's and recipient's mail
> > > > > addresses, they are accepted as valid in keychain access (in the
> > > > > login
> > > > > keychain, and corresponding root certificates in X.509 anchors'
> > > > > keychain).
> > > > > What could be wrong? And how do I correct it?
>
> Dear Tom
>
> I barked up the wrong tree, sorry :-( -
> the problem lies in the certificates/keys .
>
> Testing with a certificate from the university, everything works ok (I
> also get both the X.509 and PGP checkboxes to encrypt and sign).
I have to confess; I have no idea what you're trying to do. I routinely
send encrypted and/or signed e-mail but have never bothered with X.509
certificates, but then, I only see the GPG checkboxes when I create a
new message. Sorry if I led you astray.
>
> The certificate from my own Certificate authority does not work.
> I used openssl to create certificate authority and personal certificate
> - as far as I can see this is all in order. As required, my CA
> certificate is in the X509 anchors keychain and I set it to valid.
>
> In Keychain access the university's certificate shows up under
> Certificates, My Certificates and Keys - indicating I have the private
> key in my understanding.
> My own certificate is shown as valid, but does show up only under
> Certificates - indicating missing private key I guess.
>
> How do I package public and private key using openssl so I get a file I
> can import into Keychain Access - and will show up under My certificates
> and also under Keys, ie contains my private key?
> I tried
> openssl pkcs12 -export -out user-certkey.p12 -in user-cert.pem -inkey
> private/user-key.pem
>
> and then opened the file user-certkey.p12 by double-clicking. It asks
> for the password as expected, but nothing shows up afterwards in
> Keychain access, ie it has not been imported.
>
> Which format do I have to use in openssl so I get both public and
> private key in one file to import? (pkcs12, pem, p7s ...) An exact
> command would be most helpful.
I don't think there is any option in openssl that will combine the
public and private keys in a single file. In my opinion, that would a
serious flaw in openssl.
>
> The university's file came with suffix .pfx, and it shows under
> Certificates, My Certificates and Key in the login keychain - as
> expected.
>
> TIA
>
> Marc
--
Tom Stiller
PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3
7BDA 71ED 6496 99C0 C7CF
Received on Mon May 1 01:53:20 2006