> Thanks very much, I'm starting to understand this. One last question: > what's the difference between the export password and the password that > the system asks for when creating a key for which -des3 was specified? > Why doesn't the export just inherit/use the key encryption password? > This is confusing!
There is no reason you couldn't enter the same password for both purposes. Generally, it's considered bad form for crypto applications to keep passwords that protect keys around after you've entered them, so instead they are generally coded to prompt you each time they plan to use a password for something. This ensures that any operation using the password is only approved by someone who knows the password. The logical process is generally that you generate a key, which you have store somehow, and then get a certificate later. Once you have the certificate, it's convenient to bundle the certificate and key together and use that unit. So it just follows the logical flow of the certificate issuing and packaging process. For example, suppose someone asks me to obtain a code signing key for my company. I would generate a key and store it encrypted on my machine. I might use a password only I know. Then when I get the key and certificate, I might call each person authorized to have the key/cert into my office. I would let them each enter their own password for the combined object and let them leave with the key/cert on a disk or something. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]