I understand it as any browser like firefox, IE etc do NOT need any private key but CA certificates to communicate over SSL with any server application, so we dont need to install the key at all. But if we have to import server certs & key into applications like app server, LDAP server then how safe is the following openssl command?
openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem Any response will be appreciated ! Thanks -Ashok ---------- Forwarded message ---------- From: Ashok Kumar <ashok.ku...@csueastbay.edu> Date: Mon, Feb 15, 2010 at 12:42 PM Subject: explanation about openssl command? To: openssl-users@openssl.org Hi, I saw the following question on openssl support site (http://www.openssl.org/support/faq.html) and which says openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem DO NOT DO THIS! This command will give away your CAs private key and reduces its security to zero: allowing anyone to forge certificates in whatever name they choose. 12. How do I install a CA certificate into a browser? The usual way is to send the DER encoded certificate to the browser as MIME type application/x-x509-ca-cert, for example by clicking on an appropriate link. On MSIE certain extensions such as .der or .cacert may also work, or you can import the certificate using the certificate import wizard. You can convert a certificate to DER form using the command: openssl x509 -in ca.pem -outform DER -out ca.der Occasionally someone suggests using a command such as: openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem DO NOT DO THIS! This command will give away your CAs private key and reduces its security to zero: allowing anyone to forge certificates in whatever name they choose. ===================================== May I know why openssl command behaves so? What's the alternative to import cert and key in any application using openssl or any other tool? Appreciate your help. Thanks -Ashok ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
