Richard Levitte - VMS Whacker wrote:
>What makes you think the private key is included?
urimobile>
urimobile> The fact that Windows XP machine (into which I load the
urimobile> created cert) claims to now have the private key for it.
Uhmmm, in a X.509 PKI, you need a key pair (private and public key) to
have it work at all. In Windows, the computer stores them for you.
Where did you think the private keys would be stored? In your head?
Are you willing to remember and type 1024 or more bits (in whatever
format)? Thought not...
Look, I'd be very obliged if you took the trouble to understand the
actual questions
before jumping the gun with answers that are less than helpful. For
example, you
didn't seem to comprehend that CA's (self-signed) cert goes to the
Windows box
(which is a client and a member of the realm of this CA), and in
addition to
that - Windows box stores the server's cert, with who it corresponds.
We are NOT talking about key pair that belongs to this Windows box (where
private key is necessary). Now I've described it with plenty of details.
And just in case, once again. The setup is:
One server, several clients - among the clients is a Windows XP machine.
All communications protected by IPsec, IKE authentication done via
signed RSA public keys.
One local CA based on OpenSSL-0.9.7g.
CA's cert and server's cert were installed on Windows machine, so it
could verify server's cert.
NOW Windows box claims that it holds NOT ONLY the server's public key
(which was expected),
but ALSO the server's PRIVATE KEY. This combined with the fact that to
create "req", one has to
supply his private key, drove me to conclusion that somehow this demoCA
is less than correct
dealing with certs. [In case it matters, certs were passed to Windows in
PKCS12 format]
Also, here's an example of openssl-created "newreq.pem" on my box:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D002B0C9C6F377C7
wSqix6TJp...........................................................
.........................................................................
.................................................tuJZYOyg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBqTCC................................
.................................................
..................................FalOz
-----END CERTIFICATE REQUEST-----
Looks like it concatenates private key and the actual cert request together.
I verified that if I edit the private key off, cert signing still works
(which is good :-).
urimobile> >The private key needs to be *used* to sign the request but
urimobile> >it is never included.
urimobile> >
urimobile> Could you recommend a verification procedure for me,
urimobile> please?
Look at the CSR you created with a ASN.1 dumper. OpenSSL contains
one, and you can basically use it in any output OpenSSL produces:
openssl asn1parse -in my-csr.pem -i
Thank you. It works. So now I'll need to dig up the exact format of
X.509 cert.
If my interpretation is wrong, please tell me.
I think it is - but it is pointless to discuss it further. I thank you
for the useful
ASN.1 parsing example.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
