What exactly does packing with pkcs -certfile do?

Question

I've been using the openssl pkcs12 command to pack my certs/keys up for Windows 8,

openssl pkcs12 -export         \
    -in win8client-cert.pem    \
    -inkey win8client-key.pem  \
    -certfile ca-cert.pem      \
    -out win8client.p12                                                                                                                           

However, I'm not entirely clear what it does. If I'm feeding it the -certfile why is that the certfile must also be manually installed on the host machine (a Windows 8 box)? When I take the .p12 and extract the cacert (using the Certificates MMC on Windows) I can install it on the host box and everything works fine.

Why can't it just get the CA cert form the .p12 (which is just a packing format by my understanding).

Answer 1

The Certificates MMC, when importing a PKCS#12 file, puts all certificates in the Personal/Certificates folder, even the CA certificate. The problem is that CA certificates have to be located in the Trusted Root Certification Authorities/Certificates folder to be actually used as root in a certificate chain verification. Therefore, if you manually move the certificate to that folder after importing the PKCS#12 container everything should work as expected.