Darn, so there's a bug in CA.pl, well, I've never explored that utility.
Anyway, if you'd just followed the instructions in the HOWTO to create
CSR's, you wouldn't end up having the private key concatenated with the
request.
And, the private key is needed by "openssl req" to sign the request.
Richard Levitte - VMS Whacker wrote:
In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 17:16:31 -0400, Uri <[EMAIL
PROTECTED]> said:
urimobile> /At least two demoCA sripts - CA and CA.pl
CA.sh and CA.pl both do the same wrong thing, bundle the private key
with the CSR (Certificate Signature
> IT is common practice for someone making a certificate request to prove that
> they have the private key.
Normally "proof of possession" is done by signing the request *with* the
private key, not sending it in the request. The CA can then verify the
requester's possession of private key using
In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 17:16:31 -0400, Uri <[EMAIL
PROTECTED]> said:
urimobile> /At least two demoCA sripts - CA and CA.pl
CA.sh and CA.pl both do the same wrong thing, bundle the private key
with the CSR (Certificate Signature Request or something like that,
describ
Dr. Stephen Henson wrote:
PEM should be accepted but its very picky about any extra data before the
-BEGIN CERTIFICATE- line.
Hmm... I'll check - but I suspect it's too picky for me. :-)
True. As IPsec peers can exchange their certs automatically.
and I don't think Windows suppor
It's fine for any box to store or cache certificates of any kind.
Certificates are public data, and only contain a public key.
I know that it's fine - am just describing the setup, mostly for the
benefit of those who tend to jump to conclusions and give others as
little credit as possible u
On Mon, Jul 04, 2005, Uri wrote:
> Dr. Stephen Henson wrote:
>
> >PKCS#12 isn't an appropriate format to just import a certificate. You need
> >to use PEM or DER form and an appropriate extension such as .crt.
> >
> >
> I figured this out too late. PEM isn't accepted by Windows, but DER
> (luck
Dr. Stephen Henson wrote:
PKCS#12 isn't an appropriate format to just import a certificate. You need
to use PEM or DER form and an appropriate extension such as .crt.
I figured this out too late. PEM isn't accepted by Windows, but DER
(luckily!) is, so now I'm just using DER.
IPsec FAQ tha
In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 13:41:17 -0400, Uri <[EMAIL
PROTECTED]> said:
urimobile> Richard Levitte - VMS Whacker wrote:
urimobile>
urimobile> >>> >What makes you think the private key is included?
urimobile> >urimobile>
urimobile> >urimobile> The fact that Windows XP ma
On Mon, Jul 04, 2005, Uri wrote:
> Dr. Stephen Henson wrote:
>
> >On Sun, Jul 03, 2005, Uri wrote:
> >
> >
> >
> >>How do I create a request that doesn't contain private key, and how do I
> >>sign it? Could you give me an example please?
> >>
> >What makes you think the private key is included?
Richard Levitte - VMS Whacker wrote:
>What makes you think the private key is included?
urimobile>
urimobile> The fact that Windows XP machine (into which I load the
urimobile> created cert) claims to now have the private key for it.
Uhmmm, in a X.509 PKI, you need a key pair (private and pub
> Darn, I thought I explained the problem: openssl "req" seems to require
> private key of the cert requestor, which defeats the whole idea of PKI.
No.
IT is common practice for someone making a certificate request to
prove that they have the private key. This is known as "proof of
possession" a
Uri wrote:
> Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
> others' public keys) without havign their private keys presented to the
> signer?
>
> [For having to bring private key along with the public key sort fo
> defeats the whole purpse PKI.]
> ___
On Jul 4, 2005, at 12:00 AM, Uri wrote:
Tan Eng Ten wrote:
But how??? Could you give an example please (of [a] creating, and
[b] signing a "req")?
How is in the HOWTO (http://www.openssl.org/docs/HOWTO/)
Darn, I thought I explained the problem: openssl "req" seems to
require private key
In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 00:03:50 -0400, Uri <[EMAIL
PROTECTED]> said:
urimobile> Dr. Stephen Henson wrote:
urimobile>
urimobile> >On Sun, Jul 03, 2005, Uri wrote:
urimobile> >
urimobile> >>How do I create a request that doesn't contain private
urimobile> >>key, and how
In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 00:00:20 -0400, Uri <[EMAIL
PROTECTED]> said:
urimobile> Tan Eng Ten wrote:
urimobile>
urimobile> >> But how??? Could you give an example please (of [a]
urimobile> >> creating, and [b] signing a "req")?
urimobile> >
urimobile> > How is in the HO
Dr. Stephen Henson wrote:
On Sun, Jul 03, 2005, Uri wrote:
How do I create a request that doesn't contain private key, and how do I
sign it? Could you give me an example please?
What makes you think the private key is included?
The fact that Windows XP machine (into which I load the
Tan Eng Ten wrote:
But how??? Could you give an example please (of [a] creating, and [b]
signing a "req")?
How is in the HOWTO (http://www.openssl.org/docs/HOWTO/)
Darn, I thought I explained the problem: openssl "req" seems to require
private key of the cert requestor, which defeats the
On Sun, Jul 03, 2005, Uri wrote:
> But how???
>
> Creating a certificate request ("req") with openssl seems to require
> that private key is included! How do I avoid it?
>
> How do I create a request that doesn't contain private key, and how do I
> sign it? Could you give me an example please
Tan Eng Ten wrote:
But how??? Could you give an example please (of [a] creating, and [b]
signing a "req")?
How is in the HOWTO (http://www.openssl.org/docs/HOWTO/)
Or just use the Perl script that ships with OpenSSL called CA.pl
(Required at least Perl 5.6.x to be installed).
Thomas Hrusk
But how??? Could you give an example please (of [a] creating, and [b]
signing a "req")?
How is in the HOWTO (http://www.openssl.org/docs/HOWTO/)
__
OpenSSL Project http://www.openssl.org
User Supp
Bernhard Froehlich wrote:
Uri wrote:
Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
others' public keys) without havign their private keys presented to
the signer?
[For having to bring private key along with the public key sort fo
defeats the whole purpse PKI.]
You
David Schwartz wrote:
Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
others' public keys) without havign their private keys presented to the
signer?
Of course,
But how???
Creating a certificate request ("req") with openssl seems to require
that privat
> Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
> others' public keys) without havign their private keys presented to the
> signer?
Of course,
> [For having to bring private key along with the public key sort fo
> defeats the whole purpse PKI.]
Exactly.
Uri wrote:
Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
others' public keys) without havign their private keys presented to
the signer?
[For having to bring private key along with the public key sort fo
defeats the whole purpse PKI.]
You are totally right.
Because o
Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing
others' public keys) without havign their private keys presented to the
signer?
[For having to bring private key along with the public key sort fo
defeats the whole purpse PKI.]
___
26 matches
Mail list logo
