Uri wrote:
> Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
> others' public keys) without havign their private keys presented to the
> signer?
>
> [For having to bring private key along with the public key sort fo
> defeats the whole purpse PKI.]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
>
Maybe someone should just give a little introduction on
how to do it with OpenSSL?
Ok. If you do not want the CA to create secret keys for
the users, then every user has to create his/her own
key pair (using "openssl genrsa" for example). Afterwards,
a certificate request is generated and sent to the CA.
This request contains the users (or servers, if you are
doing server certificates) name and the public key, and
it is signed with the secret key of the user (using
"openssl req"). The CA makes sure that the request is ok
and really belongs to the given user/server, and a
certificate is created with the given name and publik
key from the request (using "openssl ca").
Teh certificate is sent to the user (or server administrator),
who then has both, the secret key and the certificate.
Hmmm... pretty much all right now... Cheers,
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
