If someone have to transfer X.509 certificates in a single bundle, usually, it is recommended to pack them into PKCS#7. And content of PKCS#7 can be signed.
OpenSSL allows to pack certificates into PKCS#7 in the following way:
openssl crl2pkcs7 -nocrl -certfile domain.crt -certfile ca-chain.crt -out domain.p7b
As I understand from the man page of 'openssl crl2pkcs7', this PKCS#7 is signed:
The output file is a PKCS#7 signed data structure containing no signers and just certificates and an optional CRL.
A few questions here:
- What does 'containing no signers' mean?
- If the content (certificates) of PKCS#7 is not really signed, how can it be done using OpenSSL?
- How signature of PKCS#7 can be verified using OpenSSL considering that it was signed?
If I understand overall concept wrongly, please, clarify that.
Aucun commentaire:
Enregistrer un commentaire