> OK, perhaps I need to explain this more. I have a client cert > scenario where in order to verify the client's identity a certificate > is used instead of a username / password. I would not like for anyone > to be able to just grab the client certificate and impersonate, so I > would like to add a password to the cert. I would think this would be > similar to where for instance Verisign sends you a certificate for > your webserver, and it has a password on it. Am I mistaken? > > Chris
No, you are completely confused and really need to read some basic information about public-key encryption before you go any further. The whole point of the authentication scheme is that the certificate is public. If it wasn't, how could the server send it to you to prove it's identity? If you want to see, for example, Amazon.com's certificate, type this: openssl s_client -host www.amazon.com -port 443 And in a few seconds, Amazon's certificate will appear for you to see. If they didn't send it to you, how could you verify its validity? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
