PKCS doc., including PKCS12 http://www.rsa.com/rsalabs/node.asp?id=2124
<http://www.rsa.com/rsalabs/node.asp?id=2124> On Wed, Apr 20, 2011 at 5:03 PM, Patrick Rutkowski <rutsk...@gmail.com>wrote: > I'm pretty new to this PKI stuff, but I'm very confused about why pkcs12 > files are encrypted. > > As I understand it, a basic p12 file contains within it two things: > > (1) A private key (private.pem in my case, an RSA key created with genrsa) > (2) An x509 certificate (cert.pem in my case, created with req -new -x509 > -key private.pem etc...) > > When you create the x509 certificate it isn't encrypted, because all it > stores inside of it is the public key which is generated from the given > private.pem; and that's not sensitive data. As far as I can see, there > aren't even any options in the openssl req sub-utility to encrypt the cert > created by -new -x509. > > Now, if I understand correctly, when you take cert.pem and private.pem and > store them together into a p12 file, the pkcs12 sub-utility defaults to > encrypting the p12 file as a whole, even beyond the fact that the internal > private key is already encrypted, and despite the fact that (I think) the > certificate doesn't need to be encrypted. > > I'm guessing I'm probably missing something here. It's not just that I > think encrypting the cert would be "silly and paranoid," it's that I don't > understand why it needs to be encrypted in principle. > > Many thanks in advance for any help > in clearing up a newbie's confusion, > -Patrick > > P.S. > If there are any de facto standard books to read on the subjecst of RSA and > PKI, I would be curious to hear a tip. I'm not necessarily just interested > in learning how to use these technologies from a user-end perspective. I'm > pretty solid with mathematics, so I would be curious to learn about the > theory of the implementation details as well. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >