Re: 0.29.0 - PKCS12 Certificates Only?

On Mon, Sep 08, 2003 at 03:33:36PM -0500, Doug Dicks wrote:
>
> This is now broke and I get prompted to confirm my server's certificate
> every time. I assume this is due to the following change from the
> release notes for .29:

The server CA certificate files (ssl-authority-files) are still PEM
encoded. It is now seperated to be one certificate per file. The option
is now called 'ssl-authority-files'.

If your server certificate is signed by Equifax, you will have to get
their CA certificate and use that with the 'ssl-authority-files' option.

The PKCS12 change is for client certificates only, used during
SSL client-authentication.

> I've been reading the various web pages returned by Google on pkcs12,
> but am still at a loss for what to do about it. I've tried several
> different ways to convert the PEM to PKCS12, but with no success.

To convert your PEM-encoded client-certificate (client-1.crt) and key
(client-1.key) pair to PKCS12 using the openssl utility, do:

openssl pkcs12 -export -in client-1.crt -inkey client-1.key -out client-1.p12 -name "Client certificate of Fubar"

You can read more about PKCS12 here:
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html

> I can get around this by adding "ssl-ignore-unknown-ca = true" to my
> servers file, but would like to avoid this if possible.

Please avoid it, or you will defeat the very objective of using SSL/TLS.

-- 
Mukund
The very powerful and the very stupid have one thing in common.  Instead of
altering their views to fit the facts, they alter the facts to fit their
views ... which can be very uncomfortable if you happen to be one of the
facts that needs altering.
                -- Doctor Who, "Face of Evil"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org