Re: Creating password-protected certs.

2002-05-01 Thread Richard Levitte - VMS Whacker

In message <[EMAIL PROTECTED]> on Tue, 30 Apr 2002 
06:30:34 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said:

t0psecret> Thanks for the help... I'm pretty new at this stuff. 
t0psecret> So, the private key is protected with the export
t0psecret> password, but this is a one-time password that is only
t0psecret> used when importing?  From my standpoint it would
t0psecret> really be nice to have a permanent password on the
t0psecret> private key... Is this something that is common with
t0psecret> SSL?  If not, I'm wondering how Windows would react to
t0psecret> such a thing.

It *is* a permanent password.  The private key is simply encrypting
with that password as a master key.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Creating password-protected certs.

2002-04-30 Thread Vadim Fedukovich

On Tue, 30 Apr 2002, Richard Levitte - VMS Whacker wrote:

> In message <[EMAIL PROTECTED]> on Mon, 29 Apr 2002 
>12:22:32 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said:
>
> t0psecret> I'm trying to create password-protected client certs
> t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz.  Is this what
> t0psecret> "export password" refers to (when creating the key),
> t0psecret> or is there another way?  I'm not sure whether the
> t0psecret> export password is a permanent password for the cert
> t0psecret> or just a one-time password used to import the .p12
> t0psecret> file.
> t0psecret>
> t0psecret> If it's the former, it seems as though Window strips
> t0psecret> this password when I import the cert, because I'm only
> t0psecret> asked for it the one time when importing. Is there any
> t0psecret> way around this?
>
> You're mixing up certificate and private key.  The password will
> protect the private key.  The certificate is (or should be) filled
> with public information only, and therefore doesn't require any
> password protection.

PKCS12 also specify mac-based integrity check that use another one
password and may be usefull for certificate. Yes, one could ignore
integrity check while parsing pkcs12 data.

just a note,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Creating password-protected certs.

2002-04-30 Thread Tim Jones


--- Richard Levitte - VMS Whacker
<[EMAIL PROTECTED]> wrote:
> In message
> <[EMAIL PROTECTED]>
> on Mon, 29 Apr 2002 12:22:32 -0700 (PDT), Tim Jones
> <[EMAIL PROTECTED]> said:
> 
> t0psecret> I'm trying to create password-protected
> client certs
> t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz.  Is
> this what
> t0psecret> "export password" refers to (when
> creating the key),
> t0psecret> or is there another way?  I'm not sure
> whether the
> t0psecret> export password is a permanent password
> for the cert
> t0psecret> or just a one-time password used to
> import the .p12
> t0psecret> file.
> t0psecret> 
> t0psecret> If it's the former, it seems as though
> Window strips
> t0psecret> this password when I import the cert,
> because I'm only
> t0psecret> asked for it the one time when importing.
> Is there any
> t0psecret> way around this?
> 
> You're mixing up certificate and private key.  The
> password will
> protect the private key.  The certificate is (or
> should be) filled
> with public information only, and therefore doesn't
> require any
> password protection.

Thanks for the help... I'm pretty new at this stuff. 
So, the private key is protected with the export
password, but this is a one-time password that is only
used when importing?  From my standpoint it would
really be nice to have a permanent password on the
private key... Is this something that is common with
SSL?  If not, I'm wondering how Windows would react to
such a thing.


__
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Creating password-protected certs.

2002-04-30 Thread Richard Levitte - VMS Whacker

In message <[EMAIL PROTECTED]> on Tue, 30 Apr 
2002 11:03:15 +0200, Joern Sierwald <[EMAIL PROTECTED]> said:

joern> That reminds me of a question I once asked, but didn't get a reply:
joern> pkcs#12 files can contain encrypted certificates or unencrypted certificates.
joern> Since, like you notice, the cert doesn't require protection, why can't openssl
joern> generate pkcs#12 file with encrypted private key, but cleartext cert?

That's a very good question.  I think Steve should answer that one,
since he implemented the PKCS#12 part...

Steve?

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Creating password-protected certs.

2002-04-30 Thread Joern Sierwald

At 10:52 30.04.2002 +0200, you wrote:
>In message <[EMAIL PROTECTED]> on Mon, 29 
>Apr 2002 12:22:32 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said:
>
>t0psecret> I'm trying to create password-protected client certs
>t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz.  Is this what
>t0psecret> "export password" refers to (when creating the key),
>t0psecret> or is there another way?  I'm not sure whether the
>t0psecret> export password is a permanent password for the cert
>t0psecret> or just a one-time password used to import the .p12
>t0psecret> file.
>t0psecret>
>t0psecret> If it's the former, it seems as though Window strips
>t0psecret> this password when I import the cert, because I'm only
>t0psecret> asked for it the one time when importing. Is there any
>t0psecret> way around this?
>
>You're mixing up certificate and private key.  The password will
>protect the private key.  The certificate is (or should be) filled
>with public information only, and therefore doesn't require any
>password protection.
>
>--
>Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]

That reminds me of a question I once asked, but didn't get a reply:
pkcs#12 files can contain encrypted certificates or unencrypted certificates.
Since, like you notice, the cert doesn't require protection, why can't openssl
generate pkcs#12 file with encrypted private key, but cleartext cert?

Jörn Sierwald


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Creating password-protected certs.

2002-04-30 Thread Richard Levitte - VMS Whacker

In message <[EMAIL PROTECTED]> on Mon, 29 Apr 2002 
12:22:32 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said:

t0psecret> I'm trying to create password-protected client certs
t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz.  Is this what
t0psecret> "export password" refers to (when creating the key),
t0psecret> or is there another way?  I'm not sure whether the
t0psecret> export password is a permanent password for the cert
t0psecret> or just a one-time password used to import the .p12
t0psecret> file.
t0psecret> 
t0psecret> If it's the former, it seems as though Window strips
t0psecret> this password when I import the cert, because I'm only
t0psecret> asked for it the one time when importing. Is there any
t0psecret> way around this?

You're mixing up certificate and private key.  The password will
protect the private key.  The certificate is (or should be) filled
with public information only, and therefore doesn't require any
password protection.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]