On 23/12/14 02:08, jack seth wrote:
I assume you meant a CA private key should always be protected by a
password correct? Does using a password for the CA (or any key)
require you to encrypt the key?
yes I mean the CA private key; by protecting it with a password it is
encrypted using that password.
How can a user remove a password if you have encrypted the client
private key?
the user needs to know the password in order to use the cert/private key
pair. If the user knows the password he can remove it from the private
key using a simple openssl command:
openssl rsa -in private.key -out newprivate.key
the command will ask for the password for 'private.key' and will write
out a new private key without a password.
HTH,
JJK
------------------------------------------------------------------------
Date: Tue, 23 Dec 2014 00:38:14 +0100
From: janj...@nikhef.nl
To: bird_...@hotmail.com; pbychik...@yahoo.com;
openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] What is the password for when generating
keys?
On 22/12/14 22:30, jack seth wrote:
Upon further inspection, I don't think this is the password for
your private key. The screen says "Please enter the following
'extra' attributes to be sent with your certificate request. A
challenge password [] An optional company name []" What is this
password for?
this is the 'challenge' password and is seldomly used; you can protect
your certificate REQUEST using challenge password so that only the
right CA can generate a certificate for it. This would protect the end
user from receiving certificates signed by a malicious CA
Also, I am wondering if it is a good idea to protect the CA
private key and client private keys with a password? What are the
pros and cons? I have read that it wouldn't be good to protect
the server's private key because it couldn't start up without
putting in the password.
the CA private key should ALWAYS be protected using a private key -
it's the most crucial part of your Public Key Infrastructure. It is
also advisable to store the CA private key on a separate host - not on
the client, not on the server.
As for protecting client private keys using a password: it is a good
security practice but a user can always remove the password, so don't
think it adds THAT much security.
HTH,
JJK
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
