On Tue, Jan 29, 2008, Milinda Pathirage wrote:

> Hi all,
> Please apologize me if this is a dumb question.
> I am currently involved in project which I need to create key store which
> has functions like Java Key Store in C. My requirements is to store several
> X509 certificates with owner's certificate and private key in a pkcs12 file.
> And my programming interface must be capable of retrieving any of the
> certificate store in that key store file.
> I tried following command[1] to store my certificate, my private key,
> another x509 certificate and CA certificate and command worked well.
> [1] openssl pkcs12 -export -in ksb_cert.pem -inkey ksb_priv_key.pem -CAfile
> ca_cert.pem -certfile sup_cert.pem -name "test" -out final_3.p12

The -CAfile option supplies trusted CA certificates that *may* be needed to
include the whole certificate chain. If you don't include the -chain option
they wont be used and even then only those necessary to include the complete
chain will be used.

> But this PKCS12_verify_mac(store->pkcs12_in, pass,-1) function calls return
> 0 always even though I give the correct password. I use my own structure to
> store the PKCS12 structure.

See what error you get. Could be an FAQ:


Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org