tito wrote: > I have used SPKAC format to request a digital certificate from mozilla > and signed the request with my master key from open ssl and imported it > to my mozilla. I can readily export (backup)the private key + certificate > from mozilla and import it to some other system's mozilla browser. I dont > want this to happen. I dont want the private key to be exported. is there > any option in openssl to disable this.
It's not really possible to give you useful advice without understanding your threat model. For example, would simply graying out the option to export the key suffice? Or do you need to prevent the key from being extracted even by a determined attacker? (For example, is simply shutting off Mozilla's export option sufficient even if Mozilla is still capable of exporting the key?) In principle, for Mozilla to prove it is entitled to use the certificate, it must perform operations using the private key. Unless the key is stored in a hardware token, there is no way to stop it from exporting the very same private key data it is using to perform those key operations. What is your outer problem? Are you trying to prevent against user error? Are you trying to protect against malicious corruption of the browser by a determined attacker with access to the local system? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
