* Steffen Nurpmeso: > I think it is common that S/MIME and SSL certificates are delivered > via PKCS12, including the private key. You then seem to extract the > individual things [...]
Nope, that is the wrong way round. The correct sequence to obtain an S/MIME certificate is as follows: 1. User X creates a private key *locally*. This private key must never be handed to anybody else. 2. User X creates a certificate signing request (CSR) and sends it to a certificate authority (CA). 3. The CA uses the CSR to create a signed certificate, and sends that certificate back to user X. 4. User X can then optionally combine private key and signed certificate in a .p12 file to ease importing the data *locally* in his MUA (it is usually more convenient to deal with a single file that combines both private key and certificate). If the process is altered in any way in which a third party gets hold of user X's private key, security is broken, no matter if the private key is password protected or not. -Ralph _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
