> I'm curious. You say your CA gave you a PKCS12 file with > a cert in it, *and* a private key in it? Whose private key > did they give you? If it's yours, then you've just opened a huge security > hole by allowing them access to your private key. If it's someone > else's, can you send it to me so I can forge some documents?
This CA generates the full key pair for me, I didn't give them my private key. They make a PKCS12 file available for download which contains the private key, and I have been able to create a certificate file out of it using openssl, so in some form or other all the fields in that certificate are present in the PKCS12 file. Of course it is a bit of a security hole because they generate the whole key pair, not just sign a public key I give them. But that is the case in several corporate PKIs (at least I know of one real example in a big German corporation), and it is a necessary hole because employees might lose their private keys, and the company must be able to access the data employees are sent, encrypted with their public keys, even after such an event. I must trust the CA that gave me this certificate of course. But noone else can see the private key because it is of course protected with a password of my choice. The attraction of this service is that I am talking about a freemail provider, their policy is that you register with them and they send you a letter with an "activator" key which I then enter on their web page, and that is enough for them to trust my identity (I did receive their letter) and issue me with a certificate. No cost for me at all. And I get a nice "real world" example to study certificates and PKI and openssl, which I need to do. Sebastian ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]