Erwann ABALEA wrote:
> > friendlyName, then look for their public key cert using that friendlyName,
> > then look for a corresponding private key using the friendlyName. If I
> > can't find a private key with that friendlyName, I use the localKeyID from
> > the public key cert to match. If there is no localKeyID then I error out.
> > Does that sound like a reasonable matching algorithm? Can localKeyIDs
> > be used to match across different files? Well.. I should rephrase.. Is this
> > common, or acceptable practice?
>
> How is that localKeyID calculated? Is it a hash of the public key? If yes,
> then this sounds an acceptable practice, if you really *need* to keep
> separate PKCS#12 files, which is uncommon.
localKeyID is calculated differently in different places. MSIE, when exporting
keys, makes the localKeyID "01 00 00 00" in all cases, and makes the friendlyName
something that resembles a GUID. Netscape seems to hash something or
other, as does Mozilla. But in general, I think the localKeyId found on a public
key is supposed to match the localKeyId on the corresponding private key.
I haven't found any documentation that explicitly says that, but it seems that
that's been the case in my experience.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
