On Fri, Aug 24, 2007, Bynum, Don wrote: > So, when I see a Friendly Name in the CA certs in a Trusted Root Store > (in any browser for example), how did the friendly name get there? A > PKCS#12 file always includes the private key, right? The private keys > of Trusted Root CA certs are certainly not submitted to the browser > vendor. >
A PKCS#12 files does not have to include a private key but it normally does include at least one key. In the past browsers would reject a PKCS#12 file without a key but now some will accept it. In any case a friendlyName can be associated with a certificate other than the one containing a private key (if any). Also the actual browser vendor might associate a human readable name with the certificate so when it is submitted a hard coded friendly name might appear. So when a CA sends the CA it might send a certificate and tell the vendor call this "Foobar Class 1 CA". The third possibility is that in the absence of any other friendly name some subject name components will be used but there's no standard way of doing that. So if CN="Foo CA" and O="Bar Organization" the common name might be "Foo CA - Bar Organization" Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
