Date: 04-04-02 13:13
Using PKCS#12 for getting server cert into browser is overkill.
But sending your server's PRIVATE KEY to the client PC is an absolute NO-NO!
What yous should do:
you should import your CA's certificate (or, if you really wish, your server's cert) into browser in their native .PEM format. DER would also work, but you have them in PEM already.
How to do it:
- copy the cacert.pem to any place in the server where it can be accessed by browser.
- in your web server config, the MIME type for .pem files must be application/x-x509-ca-cert. If it is not, set it to be. Or define a custom extension, like .cacert, with the same MIME-type.
- point your browser to this file, open it, view it, click 'install', answer 'yes' to most questions.
Your current suggestion - export the server's private key to the outside world - kills the whole idea of using SSL, you could as well just use plain HTTP.