Re: Creating certs for others (without their private keys)

Sun, 03 Jul 2005 22:04:28 -0700 

In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 00:03:50 -0400, Uri <[EMAIL 
PROTECTED]> said:

urimobile> Dr. Stephen Henson wrote:
urimobile> 
urimobile> >On Sun, Jul 03, 2005, Uri wrote:
urimobile> >
urimobile> >>How do I create a request that doesn't contain private
urimobile> >>key, and how do I sign it? Could you give me an example
urimobile> >>please?
urimobile> >>
urimobile> >What makes you think the private key is included?
urimobile> 
urimobile> The fact that Windows XP machine (into which I load the
urimobile> created cert) claims to now have the private key for it.

Uhmmm, in a X.509 PKI, you need a key pair (private and public key) to
have it work at all.  In Windows, the computer stores them for you.
Where did you think the private keys would be stored?  In your head?
Are you willing to remember and type 1024 or more bits (in whatever
format)?  Thought not...

urimobile> >The private key needs to be *used* to sign the request but
urimobile> >it is never included.
urimobile> >
urimobile> Could you recommend a verification procedure for me,
urimobile> please?

Look at the CSR you created with a ASN.1 dumper.  OpenSSL contains
one, and you can basically use it in any output OpenSSL produces:

        openssl asn1parse -in my-csr.pem -i

Since you don't trust OpenSSL, I can also recommed dumpasn1.  However,
you need to convert your .pem file to pure binary (DER), so something
like this gives you the correct output:

        openssl base64 -d < my-csr.pem | dumpasn1 -

If you want further proof, read the standards!  For CSRs, it is
PKCS #10, which is reproduced in RFC 2986.

Cheers,
Richard

P.S.  I purposefully avoid to give you links.  I interpret your level
of trust as fairly low, so it seems to me it's better that you find
things on your own.  I encourage you to look around.  If my
interpretation is wrong, please tell me.

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte                         [EMAIL PROTECTED]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to