Re: client certificates

Tue, 11 Jul 2000 00:20:10 -0700 


> 
> For all these operations you must be aware that two different items
> are needed:
> - the private key (secret)
> - the public key (included in the "certificate")
> 
> If you only download the user-cert, the corresponding private key
> is missing, this is what Netscape tries to tell you.
> 
> Netscape does have its own function to generate a private/public
> key pair. It then keeps the private key and includes the public
> key with a "request". The request is then signed by the CA and
> sent back to Netscape, which still has the private key.
> This is used by several CA packages.
> 
> Hmm, I don't know, whether you can also download the private key
> via an "application/x-x509..." transfer, I only ever used the
> PKCS12 way. It however would not make sense to have such a function,
> since the private key of the user should only be known to him.
> If somebody else created it it is worthless.
> 
> Best regards,
>       Lutz
> PS. Having this said, for several of my DAUs I have created the keys
> and the computer center of our university offers the same service for
> those who don't know how to create such a key...
> -- 
> Lutz Jaenicke                             [EMAIL PROTECTED]
> BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]

Maybe I'm too new to this topic but isn't it true that PKCS12 contains both
the public and the private key?
Furthermore the client only should be able to prove that he/she got the
certificate I gave him/her to authenticate. I don't see the need of a
private key (for the client) here. Well the public key shouldn't be here
as public as one could think.

Thomas
-- 
_________________________________________________________
 Thomas Barthel                     e-mail: [EMAIL PROTECTED]
 SuSE GmbH Nuernberg, Germany

"Internet is a wonderful mechanism for making a fool
 of yourself in front of a very large audience"
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to