On Thu, Jan 13, 2005, Shaun Lipscombe wrote: > * Dr. Stephen Henson wrote: > > > On Thu, Jan 13, 2005, Shaun Lipscombe wrote: > > > > > Another question I have is I have seen documentation on the net showing > > > CSR's being generated that catenate the private key and PEM encoded > > > certificate request prior to be sent for signing by the CA. This again > > > seems *strange*. Why is this done? > > > > Probably for the same reasons some sites suggest that a CA certificate is > > installed by creating a PKCS#12 file including the CA private key: sheer > > ignorance :-( > > I've not heard of that but installing root certificates along with its > primary key completely underpins the whole concept of a chain of trust. > Glad to hear that its ignorance and me not understanding something :-) >
That "CA key PKCS#12 file solution" is repeated so often I've added an FAQ entry for it. It's also part of some PKI lectures as a prime example of PKI stipidity. > One last question... it's to do with client certificates. If I have two > websites, say, and they both require client certificates signed by the > CA "ABC. Ltd" there is nothing stopping a client certificate being used > for authorization to access both sites even though those two sites may > not be aware of each other. Is it up to the webserver to go through the > certificate, once its been shown as being valid, and seeing whether > access should be granted or is there something I've missed. I created > two sites that have a CA "in common" in its acceptable CA list and I can > now access both sites with the same certificate. What can I do to avoid > such a circumstance? > Well if its the same CA (and not one with just the same name) and both sides accept it then I'm not sure what the problem is. If its the same CA name but distinct CAs (e.g. two CAs accidentally have the same name) then the verification of the client chain will fail on one site. Its also possible to include additional checks based on the details in a certificate: e.g. allow access to a specific account based on it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
