* How can I remove the passphrase on a private key?
* Why can't I use OpenSSL certificates with SSL client authentication?
* Why does my browser give a warning about a mismatched hostname?
+* How do I install a CA certificate into a browser?
[BUILD] Questions about building and testing OpenSSL
* Why does the linker complain about undefined symbols?
* Why does the OpenSSL test fail with "bc: command not found"?
* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL compilation fail on Alpha True64 Unix?
+* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
* Why does the OpenSSL compilation fail with "ar: command not found"?
* Why does the OpenSSL compilation fail on Win32 with VC++?
autoconf will probably be used in future OpenSSL versions. If it was
less Unix-centric, it might have been used much earlier.
-* What is an '-engine' version?
+* What is an 'engine' version?
With version 0.9.6 OpenSSL was extended to interface to external crypto
hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
+version 0.9.7 (not yet released) the changes were merged into the main
+development line, so that the special release is no longer necessary.
[LEGAL] =======================================================================
their software on operating systems that don't normally include OpenSSL.
If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitely that
+useful to choose an other license than the GPL, or state explicitly that
"This program is released under the GPL with the additional exemption that
compiling, linking, and/or using OpenSSL is allowed." If you are using
GPL software developed by others, you may want to ask the copyright holder
reject.
The solution is to add the relevant CA certificate to your servers "trusted
-CA list". How you do this depends on the server sofware in uses. You can
+CA list". How you do this depends on the server software in uses. You can
print out the servers list of acceptable CAs using the OpenSSL s_client tool:
openssl s_client -connect www.some.host:443 -prexit
(CN) field of the certificate. If it does not then you get a warning.
+* How do I install a CA certificate into a browser?
+
+The usual way is to send the DER encoded certificate to the browser as
+MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
+link. On MSIE certain extensions such as .der or .cacert may also work, or you
+can import the certificate using the certificate import wizard.
+
+You can convert a certificate to DER form using the command:
+
+openssl x509 -in ca.pem -outform DER -out ca.der
+
+Occasionally someone suggests using a command such as:
+
+openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
+
+DO NOT DO THIS! This command will give away your CAs private key and
+reduces its security to zero: allowing anyone to forge certificates in
+whatever name they choose.
+
+
[BUILD] =======================================================================
* Why does the linker complain about undefined symbols?
for download instructions) can be safely used, for example.
-* Why does the OpenSSL compilation fail on Alpha True64 Unix?
+* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-On some Alpha installations running True64 Unix and Compaq C, the compilation
+On some Alpha installations running Tru64 Unix and Compaq C, the compilation
of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual
memory to continue compilation.' As far as the tests have shown, this may be
a compiler bug. What happens is that it eats up a lot of resident memory
* Why doesn't my server application receive a client certificate?
Due to the TLS protocol definition, a client will only send a certificate,
-if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the
+if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
SSL_CTX_set_verify() function to enable the use of client certificates.
projects / openssl.git / blobdiff