> From: owner-openssl-us...@openssl.org On Behalf Of redpath > Sent: Thursday, 18 July, 2013 11:03
> *I found the issue and fixed it but that leads to a question > of security* > The error is here. The x509 that I want to check I also provide as the > issuer > since it was issued by the same issuer. > What "same"? Every verifiable cert is issued by a CA "under" a CA cert which is different from the entity (leaf) cert. > x <== is the X509 loaded > > req->url = url; > req->cert = x; > req->issuer = x; > > but instead I change this and get a Good code back as a response. > Using root issuer. > > req->url = url; > req->cert = x; > req->issuer = issuerRoot; <=== > Exactly. The entity cert and the issuing cert are different. The issuer isn't always a root, but in this case it is. > The x509 I want to check is 1000.pem and the issuer file I use is > cacert.pem. > > But is having the cacert.pem available for the program secure? > The root certificate I created puts the private away and we > use cacert.pem. > Yes, distributing certs is secure; that's what certs are for. You actually must create a root *private-key* *and* certificate. You keep the private-key private, and distribute the certificate. > > *Create CA signing key* > openssl req -new -x509 -days 3650 -extensions v3_ca -keyout > ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -config > myconfig.cnf > -batch -passout pass:password > > *Just want to make sure there are no mistakes here.* > That does produce the correct files as above. The comment is incomplete: it should be "CA (signing) key and cert" On some (many?) systems, using -pass on commandline, instead of answering the prompt, may allow your password to be seen by an active attacker on your system at that moment -- and if they get your password and (later) a copy of your encrypted private-key file, they've got your private-key. It certainly allows your password to be seen by a shoulder-surfer, but presumably you would have noticed that, unless perhaps you were in an office or a public place (like a cafe) and someone had a cellphone/PDA. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
