From d1b5f97940fe09e3e2baf7da3b4968f7e53be034 Mon Sep 17 00:00:00 2001 From: Simon Josefsson Date: Wed, 14 Oct 2009 11:47:19 +0200 Subject: Mention that sometimes CA certs needs to be included in PKCS#12 files. Reported by Ivars Suba . --- doc/gnutls.texi | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/gnutls.texi b/doc/gnutls.texi index bc167a1227..5f168c56c8 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -2914,6 +2914,17 @@ $ certtool --load-certificate cert.pem --load-privkey key.pem \ --to-p12 --outder --outfile key.p12 @end example +Some tools (reportedly web browsers) have problems with that file +because it does not contain the CA certificate for the certificate. +To work around that problem in the tool, you can use the +@samp{--load-ca-certificate} parameter as follows: + +@example +$ certtool --load-ca-certificate ca.pem \ + --load-certificate cert.pem --load-privkey key.pem \ + --to-p12 --outder --outfile key.p12 +@end example + @item Proxy certificate can be used to delegate your credential to a temporary, typically short-lived, certificate. To create one from the @@ -3362,7 +3373,7 @@ applications, you will need to convert them into a PKCS#12 structure. This also encrypts the security sensitive key with a password. @example -certtool --to-p12 --load-privkey x509-client-key.pem --load-certificate x509-client.pem --outder --outfile x509-client.p12 +certtool --to-p12 --load-ca-certificate x509-ca.pem --load-privkey x509-client-key.pem --load-certificate x509-client.pem --outder --outfile x509-client.p12 @end example For icing, we'll create a proxy certificate for the client too. -- cgit v1.2.1