Ashok Kumar wrote:
I understand it as any browser like firefox, IE etc do NOT need any
private key but CA certificates to communicate over SSL with any
server application, so we dont need to install the key at all. But if
we have to import server certs & key into applications like app
server, LDAP server then how safe is the following openssl command?
certificates have a private and public key embedded in them. The
public version of the cert just has the public key.
openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
that command exports the ROOT AUTHORITY CERTIFICATE with both its public
and private key. this is something that only the CA itself should
have, not a client. Anyone who gets their hands on that root ca will
be able to generate certificates that appear to be from your CA authority.
A client should have the certificate WITHOUT the private key, this is
typically the ca.crt file that was generated by something like...
openssl genrsa -out ca.key 1024
openssl req -new x509 -days 3650 -key ca.key -out ca.crt
note this is not the cert the server itself is using, either, this is
the public version of the Root CA that was used to /generate/ the server
host certificate. When you install this ca.crt into any client's
certificate store, that client will then accept any certs generated from
the Root CA
Any response will be appreciated !
i found this pretty good tutorial/presentation on how PKI works
http://computing.ece.vt.edu/~jkh/Understanding_SSL_TLS.pdf
<http://computing.ece.vt.edu/%7Ejkh/Understanding_SSL_TLS.pdf>
this does a pretty good job of explaining the whole process and how all
the pieces fit together. the section on self generated CA's starts on
page 65, but I recommend reading everything leading up to it.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
