> Our server application expects from connecting clients to show their > certificate to checks their CN,OU and decide what permissions to allow for > that client
> I generated a client certificate and embedded encrypted private key in it. > Everything works. Gret. > But now I want to avoid using private key of the client to avoid hassle > managing private key and storing passwords for it. It seems that public > encryption is the way to go. (Sorry, I'm still very confused in > terminology) How would that possibly work? If there is nothing that the client knows that nobody else knows, how do you expect it to prove its identity? Public encryption means the *server* does not need the client's private key to verify that the client knows the private key. If the client doesn't know its own private key, the certificate does no good. > I generated a client certificate without private key in it and > do not call > anymore > following functions which I had before > SSL_CTX_set_default_passwd_cb(...); > SSL_CTX_use_PrivateKey_file(...); > > But now SSL_connect fails returning -1 and SSL_get_error doesn't give me a > clue. What am I doing wrong? > > Is it possible to achieve? If the client does not have the private key corresponding to the public key in the certificate, how can it prove the certificate is for it rather than someone else? How do you imagine this is supposed to work? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
