[Help-gnutls] Re: Exporting a PKCS#12 structure without the private key

[Simon Josefsson]

Fabian Fagerholm <fabbe at paniq.net> writes:

> Hi!
>
> I've created a PKCS#12 file using gnutls certtool to distribute a
> certificate to some clients. However, it seems that certtool includes
> both the certificate and the private key in that file. But I absolutely
> do not want to distribute the key, only the certificate.
>
> From rom rom reading the OpenSSL mailing lists, I've learned that PKCS#12 files
> typically include both the certificate and the private key, but that it
> isn't stricly neccessary. A development version of OpenSSL can generate
> PKCS#12 files with either only the certificate or only the key. This
> option was not available before, because some programs had trouble
> handling such files.
>
> I also read that the certificate might be put into a PKCS#7 structure
> and the key in a PKCS#8 structure, but I have no idea if these formats
> are supported anywhere. Certtool seems to support PKCS#8 keys, but I
> don't know how that is going to help.
>
> Can certtool be used to put only the certificate into a PKCS#12
> structure?

I've made it possible to do so now in CVS.

Hopefully the daily snapshot will build tonight, so you can test it
tomorrow, even if you are not already building from CVS.

It should then be possible to do:

$ certtool --to-p12 --load-certificate ~/cert.pem

> Or is there another format besides PEM that would allow me to
> distribute only the certificate?

The simplest is to distribute the certificates as-is (i.e., DER/PEM).

PKCS#12 is typically used when you are transferring the private key.

You can create a degenerative PKCS#7 structure with only certificates,
but if someone isn't forcing you to use this approach, I'd say forget
about it.  Incidentally, it seems certtool doesn't support this
either.

Thanks.