Re: how to package openssl certificate - was Re: Mail: encrypt/sign
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: how to package openssl certificate - was Re: Mail: encrypt/sign

From: Marc Heusser <marc.heusser@CHEERSheusser.comMERCIALSPAMMERS.invalid>
Date: Thu Mar 30 2006 - 04:13:26 CEST



In article <marc.heusser-FA2FFE.14323629032006@idnews.unizh.ch>,


 Marc Heusser <marc.heusser@CHEERSheusser.comMERCIALSPAMMERS.invalid> 


 wrote:



> How do I package public and private key using openssl so I get a file I 


> can import into Keychain Access - and will show up under My certificates 


> and also under Keys, ie contains my private key?


> I tried


> openssl pkcs12 -export -out user-certkey.p12 -in user-cert.pem -inkey 


> private/user-key.pem


> 


> and then opened the file user-certkey.p12 by double-clicking. It asks 


> for the password as expected, but nothing shows up afterwards in 


> Keychain access, ie it has not been imported.


> 


> Which format do I have to use in openssl so I get both public and 


> private key in one file to import? (pkcs12, pem, p7s ...) An exact 


> command would be most helpful.


> 


> The university's file came with suffix .pfx, and it shows under 


> Certificates, My Certificates and Key in the login keychain - as 


> expected.



Answering my own question partly:


the pkcs12 format seems to be the right thing - and .pfx is an old form 


of it (cf http://www.drh-consultancy.demon.co.uk/pkcs12faq.html).


Also now I got the key imported to Keychain (both public and private).


It also shows up as valid, and in Own Certificates and Keys.



(BTW more info on openssl: http://www.openssl.org/docs/HOWTO/ and 


http://www.ipsec-howto.org/x595.html - that is what I followed to create 


my own certificate authority and certificate for a person.)



But it does not work with Mail - the buttons to encrypt and sign are 


still not on with my own address (they are with the University's 


address).


Comparing the two I suspect my own certificate is missing my e-mail 


address in the Subject Name section of the certificate - and therefore 


Mail does not pick this certificate as corresponding to my own e-mail 


address.



This means it now boils down to how to include my e-mail address in the 


subject name section of the public and private keys using openssl - if 


that is possible somehow after creating them.



Certificate Assistant would probably ease the process, and I'd recommend 


it to start (I just missed it and followed general opennssl 


instructions) - but if not necessary I'd like not to start all over with 


new certificates.



Marc



-- 
Switzerland/Europe
<http://www.heusser.com>
remove CHEERS and from MERCIAL to get valid e-mail
PGP fingerprint 0823 D741 9E88 0499 82A1 DC80 8B82 9084 246D FBAE


Received on Mon May  1 01:53:41 2006