Dr. Stephen Henson wrote:
Normally you'll generate the key yourself and generate a certificate request
from it. The request (not the key) is sent to the CA and they then send you
the certificate back. The point being the CA never sees your key.
Minor aside: for the purposes of key escrow/recovery, *encryption* key
pairs may be generated on behalf of users or cached by a CA or recovery
agent; for the purposes of non-repudiation, *signing* private keys may
never exist anywhere outside the direct and exclusive control of the
subject.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
