>From: owner-openssl-us...@openssl.org On Behalf Of Jevin Sonut >Sent: Thursday, 28 March, 2013 23:41
>what is the best way to store keys that will be used by openssl What kind(s) of keys and what kind(s) of use? >can someone plz explain how to create the pem/p7 file for keys >found some info @ >http://www.mail-archive.com/openssl-users@openssl.org/msg18775.html Assuming p7 means PKCS#7, there are several types of PKCS#7 messages, most of which most people don't know about. .p7b or .p7c specifically, by convention, is a degenerate SignedData with no data and no signature used only to convey one or more certificates (and/or CRLs, more rarely). In practice these certs are always X.509 (an international standard). Such a cert contains a publickey for somebody, which can be used to encrypt data to that somebody or verify signatures from that somebody. openssl can easily extract the publickey from an X.509 cert and can store it separately in what it calls PUBKEY format (which is the SubjectPublicKeyInfo substructure defined by X.509). But often the operations that use a publickey also need the other information in the cert as well, so generally it's best to store the cert. openssl can write and read X.509 or PUBKEY in either PEM or DER. DER is the raw ASN.1 binary, and PEM is base64-encoded plus labels. PEM is often easier for people, and is more robust in some contexts. >Another unanswered question about pem file manipulation >http://www.mail-archive.com/openssl-users@openssl.org/msg69377.html That's not really about PEM as such, since the described encoding issue would be at the ASN.1 level. It's more about a specific and possibly nonstandard ENGINE, and I can't help there. >Actually i defined a char and enters the passkey and IV in the >program itself??? I don't know what you mean. If by passkey you mean a password or passphrase suitable for PBE aka PBKDF, I know of no scheme that would use that with an explicit IV, though there may be one. In general storing nonpublic key material in the program is dangerous, although sometimes convenient; it's harder to change when needed, and program files get copied where keys shouldn't. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
