From: Simon Josefsson Date: Wed, 14 Oct 2009 09:47:19 +0000 (+0200) Subject: Mention that sometimes CA certs needs to be included in PKCS#12 files. X-Git-Tag: gnutls_2_9_8~61 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d1b5f97940fe09e3e2baf7da3b4968f7e53be034;p=thirdparty%2Fgnutls.git Mention that sometimes CA certs needs to be included in PKCS#12 files. Reported by Ivars Suba . --- diff --git a/doc/gnutls.texi b/doc/gnutls.texi index bc167a1227..5f168c56c8 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -2914,6 +2914,17 @@ $ certtool --load-certificate cert.pem --load-privkey key.pem \ --to-p12 --outder --outfile key.p12 @end example +Some tools (reportedly web browsers) have problems with that file +because it does not contain the CA certificate for the certificate. +To work around that problem in the tool, you can use the +@samp{--load-ca-certificate} parameter as follows: + +@example +$ certtool --load-ca-certificate ca.pem \ + --load-certificate cert.pem --load-privkey key.pem \ + --to-p12 --outder --outfile key.p12 +@end example + @item Proxy certificate can be used to delegate your credential to a temporary, typically short-lived, certificate. To create one from the @@ -3362,7 +3373,7 @@ applications, you will need to convert them into a PKCS#12 structure. This also encrypts the security sensitive key with a password. @example -certtool --to-p12 --load-privkey x509-client-key.pem --load-certificate x509-client.pem --outder --outfile x509-client.p12 +certtool --to-p12 --load-ca-certificate x509-ca.pem --load-privkey x509-client-key.pem --load-certificate x509-client.pem --outder --outfile x509-client.p12 @end example For icing, we'll create a proxy certificate for the client too.