From: Bodo Möller Date: Tue, 13 Nov 2001 08:57:58 +0000 (+0000) Subject: update FAQ from main branch X-Git-Tag: OpenSSL_0_9_6c~58 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=9cb12c9d7632fa638022b1ca38fb21b84c6152a2;p=oweals%2Fopenssl.git update FAQ from main branch --- diff --git a/FAQ b/FAQ index 0281b4c4c7..0b6dc3195a 100644 --- a/FAQ +++ b/FAQ @@ -28,6 +28,7 @@ OpenSSL - Frequently Asked Questions * How can I remove the passphrase on a private key? * Why can't I use OpenSSL certificates with SSL client authentication? * Why does my browser give a warning about a mismatched hostname? +* How do I install a CA certificate into a browser? [BUILD] Questions about building and testing OpenSSL @@ -323,6 +324,26 @@ Browsers expect the server's hostname to match the value in the commonName (CN) field of the certificate. If it does not then you get a warning. +* How do I install a CA certificate into a browser? + +The usual way is to send the DER encoded certificate to the browser as +MIME type application/x-x509-ca-cert, for example by clicking on an appropriate +link. On MSIE certain extensions such as .der or .cacert may also work, or you +can import the certificate using the certificate import wizard. + +You can convert a certificate to DER form using the command: + +openssl x509 -in ca.pem -outform DER -out ca.der + +Occasionally someone suggests using a command such as: + +openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem + +DO NOT DO THIS! This command will give away your CAs private key and +reduces its security to zero: allowing anyone to forge certificates in +whatever name they choose. + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols?