P.S.: Steffen Nurpmeso wrote in <20191023224323.kaodd%stef...@sdaoden.eu>: ... ||> I think it is common that S/MIME and SSL certificates are ||> delivered via PKCS12, including the private key. You then seem to ||> extract the individual things like || ||I think this is a severe security breach. The private key should never ||leave your computer.
(Yes.) ||> $ openssl pkcs12 -in cert.p12 -out certpem.pem -clcerts -nodes ||> $ # Alternatively ||> $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts -nokeys ||> $ openssl pkcs12 -in cert.p12 -out key.pem -nocerts -nodes || ||>|keys are generated on the subscriber's device and only the public key ||>|goes to the CA to be certified. | |With StartSSL it was like that, the browser generated the signing |request i hope. But i do not know. | |And, the above i inherited in the manual of the software |i maintain. I have not seen this in the wild on my own. This is actually only half true. The original manual only contains the first of the three. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
