> is there any way to tag these certificates so that a
> browser will refuse to export them?
If importing p12's into MSIE don't select the option on the browser that
says "Mark private keys as exportable" if using pkcs7 on the MSIE html
request form set the "GenKeyFlags" to 1.
On Netscape you can't do anything to stop people moving their private keys
to another computer.
Have you considered using smart cards? This may go some way to solving your
problem.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
