So when you send the CSR including the Public Key - you would send them the (your) Private Key, also? Then they sign it with a Private Key they've created? and send it back?
-----Original Message----- From: david [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 2:11 AM To: David Schwartz Cc: openssl-users@openssl.org Subject: RE: simple question again > The particular pages or components retrieved over the SSL link (the one > retrieved through URLs beginning with 'https'), will be sent over encrypted > links. In addition, the endpoint will be validated. So that if you retrieve > 'https://www.amazon.com/anything/goes/here', you will receive a warning if > it cannot be established that the data came from 'www.amazon.com'. > > When you generate a certificate, you do it as follows: > > 1) You create a new random private key and public key. > > 2) You generate a certificate request that includes the public key. > > 3) You sign the certificate request with the private key (to prove that you > know it) > > 4) You send the certificate request to a certificate authority. > > 5) The certificate authority verifies the name you claim in the certificate > request to make sure it belongs to you. They verify that the request was > signed with the private key corresponding to the public key in the > certificate. > > 6) The certificate authority issues a certificate that says that your name > is associated with your public key. They sign it with their public key. > > The certificate is generally considered public information. All it does is > convey the true fact that the certification authority has established that > the name in the certificate is the name of the holder of the private key > that corresponds to the public key in it. > > You can now prove that you are you by presenting the certificate and then > proving that you know the private key. This is usually done by challenging > you to sign something with it or decrypt something with it. > > DS On step 6, I think you want to say that the CA signs the certificate with its private key (and not public key), no ? david Protek-on: CaraMail met en oeuvre un nouveau Concept de Sécurité Globale - www.caramail.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
