Re: Best Practices for private key files handling
On 9/18/22 06:09, Philip Prindeville wrote: On Sep 15, 2022, at 4:27 PM, Michael Wojcik via openssl-users wrote: You still haven't explained your threat model, or what mitigation the application can take if this requirement is violated, or why you think this is a "best practice". > The threat model is impersonation, where the legitimate key has been replaced by someone else's key, and the ensuing communication is neither authentic nor private. Maybe I'm ignorant but shouldn't this be prevented by ensuring the authenticity and correct identity mapping of the public key? More information is needed about how you're system is working to comment on this. Ciao, Michael.
Re: How to create indirect CRL using openssl ca command
On 3/10/22 14:06, edr dr wrote: I would like to be able to automate the process of updating CRLs in order to be able to keep the CRL validity time short. Understandable. At the same time, I do not want to store passwords used for certificate creation in cleartext anywhere. It's a pity that there is not something like an OpenSSL key agent (similar to ssh-agent) for interactively loading the CA's private key into memory during service start. My current approach to achieve this is a separate CA only responsible for revocation. My understanding is that such a CA is called an "indirect CRL issuer" Are you 100% sure all the software used by your relying participants is capable of handling the X509v3 extensions involved? In practice I saw software miserably fail validating such certs and CRLs. Or also CAs failed to generate the certs and CRLs correctly. :-/ Ciao, Michael.