Bruno Costacurta schrieb:
Almost 100% correct till here (PKCS#12 is not a format specific for certificates but "a bag" which can contain certificates, keys and probably other things).Hello,as a newbie, I have some assumptions / questions hereafter about OpenSSL and certificates. Many thanks to correct / confirm me.- a certificate is a public key with metadata- metadata contain mandatories (ie. subject and issuer) and optional parameters - there is no relation between the key algorithm (ie.RSA) and the format of the certificate (ie.PKCS#12)- a certificate can always be converted to another format- the certificate request (.csr) is obsolete (and so should be deleted) once the certificate is created by the CA- technically speaking a 'home-made' CA is egual to a 'professional' CA
- the CA remains fully secure as long its private key remains undistributed / uncompromised... and the key is strong enough not to be broken (brute force or otherwise). And your procedures are good enough that noone can trick you into issuing fake certificates. And many things more. So what you are saying is one important part of the truth, but you can probably spend a lifetime with the rest of it.
- for a CA, files serial & index files allows to maintain a (type of) database to persist which certificates (with related metadata values) were created by this CAAlmost correct. The serial file has to make sure that there are no two certificates with the same serial number issued by the same CA.
If you are still talking of only the serial number you are correct. But if you also know the issuing CA you can uniquely identify the certificate. A CRL (Certificate Revocation List) for example works by publishing the serial numbers which have been revoked by a CA and OCSP also tells you the status of a certificate if you only tell the (CA specific) responder the serial number.- serial information within the certificate is useless
That beats me. I don't think the typical client (that is, a browser) can handle multiple keys of the subject if it would be possible to encode it. And I cannot think of possible uses for multiple keys in one certificate. Of course more public keys could be included as certificate extensions if you write your own sofware that does something with these extensions.- can a certificate contain more than one public key ?
Thanks for attention. Bye, Bruno
Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
