Matthieu Herrb wrote:
>
> Hi,
>
> I'm new to this list, and I did not find anything obvious matching my
> problem in the mail archives, so please excuse me if it's a FAQ or if
> the question is silly.
>
> I'm using OpenSSL 0.9.5a to sign messages with a certificate that I
> have exported from Netscape and converted to PEM format with 'openssl
> pkcs12'.
>
> My problem is that I can't find how to protect my private key. To have
> an explict ----BEGIN RSA PRIVATE KEY---- section in the PEM file, I
> need the -nodes option to the pkcs12 command, otherwise the private is
> is hidden in the certificate. But in the -nodes case the private key
> is not protected at all.
>
You dont have to do that. The -nodes option outputs an unencrypted
private key. If you don't include the option it prompts you for the
passphrase to encrypt the private key with. It is *not* "hidden" in the
certificate.
> It seems that the openssl smime -sign need an explicit RSA private key
> in the file passed to -signer or in the file specified with
> -inkeys. (It barfs if I use -signer with the certificate generated
> with 'openssl pkcs12' without the -nodes option). So, how can I
> generate a private key file protected by a pass phrase for use with
> 'openssl smime -sign ...' ?
>
If you pass an encrypted private key on the command line it should
prompt you for the pass phrase.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
