> The certificate is only good if you have the associated key. > If you don't have the key, the certificate isn't worth the disk space > that it takes up.
Not true for a CA root. Thought experiment: if DigiCert were to misplace their root private key, would you now be unable to log into amazon.com? (There would be very disruptive long-term implications, but things would continue to work in the medium term even without the private key.) The private key is necessary to be able to *issue* certificates. Tom's scenario, while it may have some other shortcomings, would work exactly as Tom supposes. Charles- On Tue, 29 Aug 2023 14:40:19 -0500, Grant Taylor <gtay...@tnetconsulting.net> wrote: >On 8/29/23 2:32 PM, Tom Brennan wrote: >> Sorry - not clear. What I meant was that in this case I ran openssl on >> Linux, not on Windows as Charles thought. > >Fair enough. > >> What if I deleted the CA key file after creating the one web cert I >> needed? That would probably solve the security issue Charles mentioned, >> but then I would need a long-term web cert, maybe not possible anymore >> with the browser cap you mentioned. > >That's not going to work the way you want. > >The certificate is only good if you have the associated key. > >If you don't have the key, the certificate isn't worth the disk space >that it takes up. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
