Hi-- On Apr 24, 2013, at 1:53 PM, Michael Powell <nightre...@hotmail.com> wrote: > This is along the lines of what I was thinking. I am my own CA and can > generate certs that no one else has the private keys to.
So can someone who does not run their own CA...? > The problem with buying certs from a provider is the gov't has access > to the private keys on demand. Um, how does that work when they don't have your private keys? People generate a CSR which they send to a public CA like Verisign/Entrust/et al for signing. That CSR contains the RSA public key, and a matching signature created by the private key to authenticate the CSR request, but it does not contain the private key itself. Consider: openssl req -newkey rsa:2048 -keyout key.pem -out req.pem openssl req -in req.pem -text -verify -noout ls -l key.pem req.pem ...or even go through the explicit process of seeing the different data available: openssl rsa -in key.pem -pubout -out pubkey.pem openssl rsa -in key.pem -text -noout openssl rsa -pubin -in pubkey.pem -text -noout [ A CSR is about half of the size of the private+public key file; and the public key by itself is a quarter the size of the private+public key file. And even possessing key.pem doesn't disclose the private key, since there's a password needed. Unless you make an effort to export the key without a password, that is. ] Regards, -- -Chuck _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
