The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 DO NOT!! use PKCS#12
Author: Kaur 
Date:   04-04-02 13:13

Using PKCS#12 for getting server cert into browser is overkill.

But sending your server's PRIVATE KEY to the client PC is an absolute NO-NO!

What yous should do:
you should import your CA's certificate (or, if you really wish, your server's cert) into browser in their native .PEM format. DER would also work, but you have them in PEM already.

How to do it:
- copy the cacert.pem to any place in the server where it can be accessed by browser.
- in your web server config, the MIME type for .pem files must be application/x-x509-ca-cert. If it is not, set it to be. Or define a custom extension, like .cacert, with the same MIME-type.
- point your browser to this file, open it, view it, click 'install', answer 'yes' to most questions.

Your current suggestion - export the server's private key to the outside world - kills the whole idea of using SSL, you could as well just use plain HTTP.

 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 DO NOT!! use PKCS#12   new
Kaur 04-04-02 13:13 
 Re: DO NOT!! use PKCS#12   new
Dan Langille 04-04-02 18:20 
 Re: DO NOT!! use PKCS#12   new
Erik 05-04-02 19:26 
 Re: DO NOT!! use PKCS#12   new
Dan Langille 06-04-02 03:16 
 article was good   new
Andrew 26-06-02 04:19 
 Some more links (Was: article was good)   new
cam 13-09-02 17:08 

 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Remember my login:
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum