It shows that new cert with old’s name and issuer. Any fix?

OpenSSL> pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.c
rt
Loading ‘screen’ into random state – done
Error self signed certificate getting chain.
error in pkcs12
OpenSSL>

After I had installed the root CA, when I opened a file in Microsoft Office that I had signed (with a certificate that had been issued using that same root cert), I was presented with the option of always trusting files signed liked that.

Next I would like to experiment with creating a certificate just for code signing. I believe the information is here: http://www.openssl.org/docs/apps/x509v3_config.html under “Extended Key Usage.”

In your instructions, I don’t know how you got around the requirement of designating an openssl.cnf configuration file. Maybe the version of OpenSSL you were using was compiled to look for it in the right place. Mine was compiled to look for it in /usr/local/ssl/openssl.cnf, which doesn’t exist on a Windows machine.

The next problem is, that on Windows XP at least, .cnf files are designated a NetMeeting “SpeedDial” files. But you can edit the file extension to break this link, or better yet have the extension open in Notepad. This isn’t absolutely necessary though.

I found the default openssl.cnf file installed in my OpenSSL/share directory, so I moved it to the bin directory, so when I ran openssl from there, I could just add -config openssl.cnf to my openssl commands when it complained about not finding it.

Finally, thank you again for your comment about the “Error self signed certificate getting chain” error. I went back and changed some of my answers to the cert issuing questions, and the error disappeared when I tried again.

My next task is to install a certificate (which one?) on my intranet Active Directory domain server, so all the computers in my domain will trust code that I sign with my digital signature.