Uri wrote: > Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing > others' public keys) without havign their private keys presented to the > signer? > > [For having to bring private key along with the public key sort fo > defeats the whole purpse PKI.] > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > Maybe someone should just give a little introduction on how to do it with OpenSSL?
Ok. If you do not want the CA to create secret keys for the users, then every user has to create his/her own key pair (using "openssl genrsa" for example). Afterwards, a certificate request is generated and sent to the CA. This request contains the users (or servers, if you are doing server certificates) name and the public key, and it is signed with the secret key of the user (using "openssl req"). The CA makes sure that the request is ok and really belongs to the given user/server, and a certificate is created with the given name and publik key from the request (using "openssl ca"). Teh certificate is sent to the user (or server administrator), who then has both, the secret key and the certificate. Hmmm... pretty much all right now... Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]