On 11/22/06, David Schwartz <[EMAIL PROTECTED]> wrote:
> OK, perhaps I need to explain this more. I have a client cert
> scenario where in order to verify the client's identity a certificate
> is used instead of a username / password. I would not like for anyone
> to be able to just grab the client certificate and impersonate, so I
> would like to add a password to the cert. I would think this would be
> similar to where for instance Verisign sends you a certificate for
> your webserver, and it has a password on it. Am I mistaken?
>
> Chris
No, you are completely confused and really need to read some basic
information about public-key encryption before you go any further. The whole
point of the authentication scheme is that the certificate is public. If it
wasn't, how could the server send it to you to prove it's identity?
If you want to see, for example, Amazon.com's certificate, type this:
openssl s_client -host www.amazon.com -port 443
And in a few seconds, Amazon's certificate will appear for you to see.
I am most likely using the wrong terms (but I may be completely
confused, I admit). When one distributes client certificates to take
the place of usernames/passwords for authentication, how is that
commonly referred to? Let's say I wanted to create an application
where one logs in with only his certificate, not his username and
password, and there is no rsa private key corresponding to that client
certificate, meaning that simply having the certificate is all that is
required to authenticate. Is it possible to add a private key back
into the existing certificate or is that something that needs to be
done during the CSR?
Chris
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
