diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2001-11-12 01:58:50 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2001-11-12 01:58:50 +0000 |
commit | 0b33bc6b72b1261a48ff9b8a16aca23273bd46d8 (patch) | |
tree | 3a61055fdafc399a924de16e11d57e076d207029 /FAQ | |
parent | 7aa983c6dbf7144d67ffb9f586cfae6e32dd3d24 (diff) | |
download | openssl-0b33bc6b72b1261a48ff9b8a16aca23273bd46d8.tar.gz |
Add an FAQ.
Diffstat (limited to 'FAQ')
-rw-r--r-- | FAQ | 21 |
1 files changed, 21 insertions, 0 deletions
@@ -28,6 +28,7 @@ OpenSSL - Frequently Asked Questions * How can I remove the passphrase on a private key? * Why can't I use OpenSSL certificates with SSL client authentication? * Why does my browser give a warning about a mismatched hostname? +* How do I install a CA certificate into a browser? [BUILD] Questions about building and testing OpenSSL @@ -323,6 +324,26 @@ Browsers expect the server's hostname to match the value in the commonName (CN) field of the certificate. If it does not then you get a warning. +* How do I install a CA certificate into a browser? + +The usual way is to send the DER encoded certificate to the browser as +MIME type application/x-x509-ca-cert, for example by clicking on an appropriate +link. On MSIE certain extensions such as .der or .cacert may also work, or you +can import the certificate using the certificate import wizard. + +You can convert a certificate to DER form using the command: + +openssl x509 -in ca.pem -outform DER -out ca.der + +Occasionally someone suggests using a command such as: + +openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem + +DO NOT DO THIS! This command will give away your CAs private key and +reduces its security to zero: allowing anyone to forge certificates in +whatever name they choose. + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? |