I have used openssl to setup a CA to sign site certificates and client certificates. All is working just great , however I have a couple of questions to ask so that I dont go insane.
Why is it that a Microsoft box requires SSL certificates be imported from a PCKS12 file when all other operating systems and software are OK with a PEM certificate? PCKS12 contains the private key of the key pair along side the certificate and this is simply not necessary unless you actually NEED the primary key.. for example the box on which you are installing the .pfx (p12) file didn't generate the Private Key but it is required to sign code/email using the private key, using the signed certificate for encryption. The primary key, I thought, should ideally have ONE home and not be moved about even if this PCKS12 is SUPPOSEDLY secure. (people choose crappy passphrases so I'm sure brute forcing it wouldn't take long with today's computers). Another question I have is I have seen documentation on the net showing CSR's being generated that catenate the private key and PEM encoded certificate request prior to be sent for signing by the CA. This again seems *strange*. Why is this done? I can give you a URL where this is done , but I've seen the combining of the key and request in *many* net resources and it seems *strange* to me that anyone would want to send their private key across the insecure website along with the CSR to be signed! Here is an example of a site showing this: http://sandbox.rulemaker.net/ngps/m2/howto.ca.html. I have also seen the primary key added to a certificate AFTER its been returned , signed, from the CA but I guess this could just be for exporting onto a system for which the request was made on the behalf of. Sorry for the badly worded sentence! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]