Am 21.10.12 19:25, schrieb Tom Browder:
I have successfully generated SSL client certificates for my Apache
web site users, and we have successfully tested them using it to
access my restricted areas on my web site.
One thing I'm not sure of is why there is a private/public key pair in
the client certs.
You must be misinterpreting what you are seeing. The certificate
data structure isn't capable of storing private keys, so if you see
the private key embedded somewhere, it's not a "client cert" it is
embedded in.
Hopefully it's not the same private key used to generate the CSR,
> or is it?
The private key to generate a CSR for a certificate is the CA's private
key. So if you have a separate CA, then no, it's not the same key.
If you are using self-signed certificates, revoking them is not
possible.
In any event, why is it needed?
All I am using the certs for is to allow access to my site which is
done by (as I understand it) Apache checking that (1) the client cert
hasn't been revoked and (2) it has been signed by me as the CA.
The web browser also needs access to the private key, as a proof that
it really represents the identity that is mentioned in the cert.
Otherwise, anybody could copy the certificate from the wire, or from
some directory service (it's really public).
The server shouldn't have the private key at all - the private
key should never leave the machine on which the browser is running.
Regards,
Martin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
