I'm pretty new to this PKI stuff, but I'm very confused about why pkcs12 files are encrypted.
As I understand it, a basic p12 file contains within it two things: (1) A private key (private.pem in my case, an RSA key created with genrsa) (2) An x509 certificate (cert.pem in my case, created with req -new -x509 -key private.pem etc...) When you create the x509 certificate it isn't encrypted, because all it stores inside of it is the public key which is generated from the given private.pem; and that's not sensitive data. As far as I can see, there aren't even any options in the openssl req sub-utility to encrypt the cert created by -new -x509. Now, if I understand correctly, when you take cert.pem and private.pem and store them together into a p12 file, the pkcs12 sub-utility defaults to encrypting the p12 file as a whole, even beyond the fact that the internal private key is already encrypted, and despite the fact that (I think) the certificate doesn't need to be encrypted. I'm guessing I'm probably missing something here. It's not just that I think encrypting the cert would be "silly and paranoid," it's that I don't understand why it needs to be encrypted in principle. Many thanks in advance for any help in clearing up a newbie's confusion, -Patrick P.S. If there are any de facto standard books to read on the subjecst of RSA and PKI, I would be curious to hear a tip. I'm not necessarily just interested in learning how to use these technologies from a user-end perspective. I'm pretty solid with mathematics, so I would be curious to learn about the theory of the implementation details as well. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
