[Help-gnutls] Re: Exporting a PKCS#12 structure without the private key

Fabian Fagerholm fabbe at paniq.net
Tue Nov 9 14:05:44 CET 2004

On Tue, 2004-11-09 at 00:58 +0100, Simon Josefsson wrote:
> I've made it possible to do so now in CVS.
> Hopefully the daily snapshot will build tonight, so you can test it
> tomorrow, even if you are not already building from CVS.
> It should then be possible to do:
> $ certtool --to-p12 --load-certificate ~/cert.pem

This seems to work nicely -- thank you!

> The simplest is to distribute the certificates as-is (i.e., DER/PEM).
> PKCS#12 is typically used when you are transferring the private key.
> You can create a degenerative PKCS#7 structure with only certificates,
> but if someone isn't forcing you to use this approach, I'd say forget
> about it.  Incidentally, it seems certtool doesn't support this
> either.

It seems that some programs will not work with the DER or PEM formats,
but require the use of PKCS#12. That's obviously a big flaw in those
programs, especially if PKCS#12 is primarily meant as a format that
should always contain a certificate and its key. I really can't imagine
that it would be a common requirement to supply the secret key to your

Fabian Fagerholm <fabbe at paniq.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20041109/03501536/attachment.pgp>

More information about the Gnutls-help mailing list