Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo


Which export feature?

  • interprb


    Could you tell me which export feature I should use to make sure that ca pub key is installed in client cert?


    • I translate your question to:
      "How can i create a bundle of client and root certificates"

      If you created the client certificate from scratch including the private key,
      you should use PKCS#12 with certificate chain to include the user-cert, its key and all
      certificates in the chain up to the root.
      This will ask you to enter a password to protect the private key. You must
      tell the recipient the password to enable him to open the PKCS#12 package.

      If you created the certificate by signing a request, you may export it
      as PKCS#7 with chain. This is not password protected, since there is no secret
      information inside.

      However, providing the root CA on a different channel and telling your users to
      download it and to verify the fingerprint is considered more secure.

    • interprb

      Thank you so much for the reply. I did just as you say. My problem is that I am having a tough time in getting the IMP webmail to see the ca part of the users cert. I thought that when the ca signed the client be it server of user it became part of that cert (chained). I was told to import the ca cert into the server cert. Isn't it already there? I think that is where the problem is, I just dont know what to do.

      When using the mail client outlook or thunderbird i have no problems. User cert in users store and ca in trusted ca store. Works as it should. Also no problem in connection to web site.(no domain mismatch etc...)

      Thank you so much for the help.

    • interprb

      After some thought, I believe the process deals with two parts.

      1. creating the ssl connection  to the server.
      I have no errors because certs are bundled as advised. CA and user certs are in correct browser stores allowing authentication to server.  (ok on that part)

      2. Import users certs (pk12 w/chain) to  server keystore in webmail so they may sign encrypt mail. The server is looking for the ca cert to verify user and can't find it. I don't think it is looking in the browser ca store but rather the server cert for the ca part  for verification of users signatures. That's why i was advised (another forum)to import ca cert into server cert. Isn't that the same as export p12 w/chain.

      My confusion is that because we created and signed both server cert and all users certs and exported in p12 w/chain the ca part by default is already present.