Hello, sorry for the late reply.
Ralph Seichter wrote in <87pninuqns....@wedjat.horus-it.com>: |* Steffen Nurpmeso: |> I think it is common that S/MIME and SSL certificates are delivered |> via PKCS12, including the private key. You then seem to extract the |> individual things [...] | |Nope, that is the wrong way round. The correct sequence to obtain an |S/MIME certificate is as follows: | |1. User X creates a private key *locally*. This private key must never |be handed to anybody else. | |2. User X creates a certificate signing request (CSR) and sends it to a |certificate authority (CA). | |3. The CA uses the CSR to create a signed certificate, and sends that |certificate back to user X. Ok, but that is exactly what i have written a few lines later for the CACert example that i posted, right. So not nope, Mr. Where "user X" meant "browser of user X" when i did so for a StartSSL certificate. I assume it did the right thing. But i do not know. |4. User X can then optionally combine private key and signed certificate |in a .p12 file to ease importing the data *locally* in his MUA (it is |usually more convenient to deal with a single file that combines both |private key and certificate). | |If the process is altered in any way in which a third party gets hold of |user X's private key, security is broken, no matter if the private key |is password protected or not. That is surely right. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
