In message <[EMAIL PROTECTED]> on Mon, 04 Jul 2005 13:41:17 -0400, Uri <[EMAIL PROTECTED]> said:
urimobile> Richard Levitte - VMS Whacker wrote: urimobile> urimobile> >>> >What makes you think the private key is included? urimobile> >urimobile> urimobile> >urimobile> The fact that Windows XP machine (into which I urimobile> >urimobile> load the created cert) claims to now have the urimobile> >urimobile> private key for it. urimobile> > urimobile> >Uhmmm, in a X.509 PKI, you need a key pair (private and urimobile> >public key) to have it work at all. In Windows, the urimobile> >computer stores them for you. Where did you think the urimobile> >private keys would be stored? In your head? Are you urimobile> >willing to remember and type 1024 or more bits (in urimobile> >whatever format)? Thought not... urimobile> > urimobile> Look, I'd be very obliged if you took the trouble to urimobile> understand the actual questions before jumping the gun with urimobile> answers that are less than helpful. Well, considering the small amount of facts you actually gave, you can't be surprised that I had to use my imagination to try to understand what you had done. Contrary to what you seem to think, it was less than obvious. Still, my appologies for the tone I used. It was needlessly harsh. urimobile> For example, you didn't seem to comprehend that CA's urimobile> (self-signed) cert goes to the Windows box (which is a urimobile> client and a member of the realm of this CA), and in urimobile> addition to that - Windows box stores the server's cert, urimobile> with who it corresponds. It's fine for any box to store or cache certificates of any kind. Certificates are public data, and only contain a public key. urimobile> We are NOT talking about key pair that belongs to this urimobile> Windows box (where private key is necessary). Now I've urimobile> described it with plenty of details. Nope: urimobile> NOW Windows box claims that it holds NOT ONLY the server's urimobile> public key (which was expected), but ALSO the server's urimobile> PRIVATE KEY. This is the first time you said that *another* device's private key ended up on your Windows box. And still, that can't happen because of a CSR, which is what you claimed was at fault. However, it seems you found something: urimobile> Also, here's an example of openssl-created "newreq.pem" on urimobile> my box: (I assume, BTW, that you used CA.pl here) urimobile> -----BEGIN RSA PRIVATE KEY----- urimobile> Proc-Type: 4,ENCRYPTED urimobile> DEK-Info: DES-EDE3-CBC,D002B0C9C6F377C7 urimobile> urimobile> wSqix6TJp........................................................... urimobile> ......................................................................... urimobile> .................................................tuJZYOyg== urimobile> -----END RSA PRIVATE KEY----- urimobile> -----BEGIN CERTIFICATE REQUEST----- urimobile> MIIBqTCC................................ urimobile> ................................................. urimobile> ..................................FalOz urimobile> -----END CERTIFICATE REQUEST----- urimobile> urimobile> Looks like it concatenates private key and the actual cert urimobile> request together. Yup. I was in disbelief, but just checked CA.pl (which I usually don't use), and saw this really happens. I'd call that a bug, that's not the way it should be, in my opinion (translated: that's completely f*cked!). urimobile> Thank you. It works. So now I'll need to dig up the exact urimobile> format of X.509 cert. The quickest way to find that information is by reading RFC3280. Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
