* Dr. Stephen Henson wrote: > On Thu, Jan 13, 2005, Shaun Lipscombe wrote: > > > Why is it that a Microsoft box requires SSL certificates be imported > > from a PCKS12 file when all other operating systems and software are OK > > with a PEM certificate? > > It doesn't. You can do that of course but the preferred technique is the same > as every other environment: create a private key on the microsoft box, sign a > request with it, send request to the CA and install the resulting certificate.
Ok. That makes far more sense since the private key doesn't have to be created on one box and transferred to the m$ box i.e. its more secure. I didn't want to use the Certification stuff that comes with Windows 2000 Server coz it's a tad expensive and openssl works a charm. > For MSIE you can use Xenroll for that. Not heard of that but will take a looksie. > > Another question I have is I have seen documentation on the net showing > > CSR's being generated that catenate the private key and PEM encoded > > certificate request prior to be sent for signing by the CA. This again > > seems *strange*. Why is this done? > > Probably for the same reasons some sites suggest that a CA certificate is > installed by creating a PKCS#12 file including the CA private key: sheer > ignorance :-( I've not heard of that but installing root certificates along with its primary key completely underpins the whole concept of a chain of trust. Glad to hear that its ignorance and me not understanding something :-) I'll delete that site from my bookmarks :-) One last question... it's to do with client certificates. If I have two websites, say, and they both require client certificates signed by the CA "ABC. Ltd" there is nothing stopping a client certificate being used for authorization to access both sites even though those two sites may not be aware of each other. Is it up to the webserver to go through the certificate, once its been shown as being valid, and seeing whether access should be granted or is there something I've missed. I created two sites that have a CA "in common" in its acceptable CA list and I can now access both sites with the same certificate. What can I do to avoid such a circumstance? Shaun ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
