Many thanks - it does help and I will try it soon. Many thanks!
--- Bernhard Froehlich <[EMAIL PROTECTED]> wrote: > l Burnerheimerton wrote: > > [...] > > Ted - many thanks for your help. Just so I > understand > > correctly, I generate a private key certificate > using > > openssl to export it to a file that would then be > > imported into a browser. > > > > I can then use that server key to encrypt data > that > > only those users for whom I have generated, and > they > > have installed, a private certificate can decrypt. > > > > Is that right? > > > Hmm, I'm not sure if we are really talking about the > same thing... > A client certificate used in a browser application > is for > authentication, so the server knows whom it is > talking to. If the server > uses HTTPS and only accepts connections from users > who can authenticate > with a certain kind of certificate (like those which > were generated by > your own CA) the result is, that someone, who does > not have a cert, > cannot "talk" with the server. > Independent from a client certificate HTTPS assures > that only the > current user can decrypt the data sent by the server > to him/her. > If I understood you right this satisfies your needs, > although your > description is (technically) not exactly correct. > > Back to the procedure you need. > > First of all you'l have to set up a CA. One of many > descriptions for > this can be found in > http://sial.org/howto/openssl/ca/ (top hit of a > google search after "setup openssl ca"). Just check > that your openssl > contains "nsCertType = client, email" and "keyUsage > = nonRepudiation, > digitalSignature, keyEncipherment" for the > certificates you are generating. > > Certificate generation is also described there, if > you don't find better > information on how to create keys and CSR > http://www.openssl.org/docs/apps/req.html may help > you. > > So let's assume you have set up the CA, your private > key is in the file > privkey.pem and mycert.pem contains your > certificate. > Then the following command should generate a PKCS#12 > file mydata.p12 > which can be imported by Mozilla and IE (I've tested > with Firefox): > > openssl pkcs12 -export -out mydata.p12 -inkey > privkey.pem -in mycert.pem > > To use the keys you'll probably also have to import > your CA's cert into > the browser and trust it to identify web sites and > mail users. Note that > this can be quite dangerous (from a security > viewpoint) in a production > environment if your CA's private key is not properly > secured... > > Hope it helps. > Ted > ;) > > -- > PGP Public Key Information > Download complete Key from > http://www.convey.de/ted/tedkey_convey.asc > Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 > 0CC8 70F4 7AFB 8D26 > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
